Dashboard - MRLwiki TEST

The test successfully embedded a script in the response, which will be executed once the page is loaded in the user's browser. This means that the application is vulnerable to the Cross-Site Scripting attack. [1 of 3] Cross-Site Scripting in Parameter Name Severity: High Test Type: Application Vulnerable URL: http://xxx.yyy.com:8080/dashboard.action *Remediation Tasks: Filter out hazardous characters from user input* Variant 1 of 2 [ID=2465] The following changes were applied to the original request: • Added parameter '>'">' Request/Response: GET /dashboard.action?>'"> HTTP/1.1 Cookie: seraph.confluence=Zh\hNiQi[hZiOf]fOm\fOfUgSfZfWkYkWk; confluence.list.pages.cookie=list-recently-updated; confluence.browse.space.cookie=space-pages; JSESSIONID=4DAEC007BFA3515EC02547862F6B66E4 Accept: */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 1.0.3705; InfoPath.1; .NET CLR 2.0.50727) Host: xxx.yyyy.com:8080 Connection: Keep-Alive HTTP/1.1 200 OK Content-Length: 46506 Server: Apache-Coyote/1.1 Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Date: Wed, 22 Aug 2007 13:48:24 GMT Dashboard - MRLwiki TEST 9/18/2007 1:55:06 PM 23/7570

9/18/2007 1:55:06 PM 24/7570

Welcome | Preferences | Log Out ... Validation In Response: • Spaces:

=&spacesSelectedTab=my'); return false;">My

Cross-site scripting vulnerability in /dashboard.action