Details
-
Bug
-
Resolution: Fixed
-
High
-
2.5.7
-
None
-
Apache Http, 2.5.7 standalone, windows server 2003, Watchfire AppScan 7.6
Description
The test successfully embedded a script in the response, which will be executed once the page
is loaded in the user's browser. This means that the application is vulnerable to the Cross-Site
Scripting attack.
[1 of 3] Cross-Site Scripting in Parameter Name
Severity: High
Test Type: Application
Vulnerable URL: http://xxx.yyy.com:8080/dashboard.action
Remediation Tasks: Filter out hazardous characters from user input
Variant 1 of 2 [ID=2465]
The following changes were applied to the original request:
• Added parameter '>'"><script>alert('Watchfire%20XSS%20Test%20Successful')</script>'
Request/Response:
GET /dashboard.action?>'"><script>alert('Watchfire%20XSS%20Test%20Successful')
</script> HTTP/1.1
Cookie: seraph.confluence=Zh\hNiQi[hZiOf]fOm\fOfUgSfZfWkYkWk;
confluence.list.pages.cookie=list-recently-updated;
confluence.browse.space.cookie=space-pages;
JSESSIONID=4DAEC007BFA3515EC02547862F6B66E4
Accept: /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 1.0.3705; InfoPath.1; .NET CLR 2.0.50727)
Host: xxx.yyyy.com:8080
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 46506
Server: Apache-Coyote/1.1
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Date: Wed, 22 Aug 2007 13:48:24 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Dashboard - MRLwiki TEST</title>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
<script language="javascript">
var contextPath = '';
var i18n = [];
</script>
<link rel="stylesheet" href="/s/809/1/1/_/styles/mainaction.
css" type="text/css" />
<link rel="shortcut icon" href="/images/icons/favicon.ico">
<link rel="icon" type="image/png" href="/images/icons/favicon.png">
<script type="text/javascript"
src="/s/809/1/_/decorators/effects.js"></script>
9/18/2007 1:55:06 PM 23/7570
<link rel="alternate" type="application/rss+xml"
title="Dashboard RSS Feed"
href="/spaces/createrssfeed.action?
types=page&types=blogpost&types=comment&spaces=&sort=modified&title=Dashboard+RSS+Fe
ed&maxResults=15&publicFeed=false&os_authType=basic&rssType=rss2" />
<link rel="alternate" type="application/atom+xml"
title="Dashboard RSS Feed"
href="/spaces/createrssfeed.action?
types=page&types=blogpost&types=comment&spaces=&sort=modified&title=Dashboard+RSS+Fe
ed&maxResults=15&publicFeed=false&os_authType=basic&rssType=atom" />
<script type="text/javascript" src="/scripts/write.js"></script>
</head>
<body onload="placeFocus()">
<script type="text/javascript">
function hideMessage(messageId)
</script>
<div id="PageContent">
<table border="0" cellpadding="0" cellspacing="0" width="100%">
<tr class="topBar">
<td align="left" width="85%">
<a href="/homepage.action"><img src="/download/userResources/logo"
align="absmiddle" border="0"></a>
<span class="topBarDiv">
Dashboard
</span>
</td>
<td align="right" valign="middle" style="white-space:nowrap">
<form method="POST" action="/dosearchsite.action"
name="searchForm" style="padding: 1px; margin: 1px">
<input type="hidden" name="quickSearch" value="true" />
<input type="hidden" name="searchQuery.spaceKey" value="conf_global" />
<input type="text" accessKey="s" name="searchQuery.queryString" size="25"/>
<input type="submit" value="Search"/>
</form>
</td>
</tr>
<tr>
<td style="padding: 5px" colspan="2">
<table style="padding: 0px; margin: 0px 5px; width: 100%;"
cellspacing="0" cellpadding="1" border="0">
<tr>
9/18/2007 1:55:06 PM 24/7570
<td valign="bottom" align="left" width="1%"
nowrap>
<span class="logoSpaceLink">
</span>
</td>
<td align="right" valign="top" width="98%">
<span class="smalltext" id="userNavBar">
Welcome <a href="/display/~VULNSCAN"></a> |
<a href="/users/viewuserprofile.action?
username=VULNSCAN">Preferences</a> |
<a href="/logout.action" id="logout">Log Out</a>
</span>
...
Validation In Response:
• Spaces:
<li><a href="#" onClick="gotoUrl('/dashboard.action?>'">
<script>alert('Watchfire XSS Test Successful')</script>=&spacesSelectedTab=my');
return false;">My</a></li>
<li><a href="#
Reasoning:
The test successfully embedded a script in the response, which will be executed once the page
is loaded in the user's browser. This means that the application is vulnerable to the Cross-Site
Scripting attack.
Attachments
Issue Links
- is blocked by
-
-
- Closed
-
- relates to
-
-
- Closed
-
